I had on my list to check out Leave Me Alone, a service that purportedly helps unsubscribe you from newsletters and such. You give it access, and it, presumably, starts digging through your email finding newsletters it can help you unsubscribe from. Seems useful, if you trust a third-party reading your email. That’s a big leap for me, erroring on “no”.
I thought I’d just sign up and get as far as I could before it got creepy. This is where it got creepy:
There is a step here where you have to type in your Gmail password into their app. Nope. You never see this. Google has secure auth systems where the only place you type in your password in on a real secure Google URL. No way in hell am I coughing up a password like that to a third-party.
Remember, if your email is hacked, your entire life is hacked. The person with access to your email can reset your password anywhere else.
I have no idea if the company is credible or not, and to their credit, they tell you to turn on 2-factor auth before proceeding, but this just smells all kinds of fishy.
One response to “Leave Me Alone Leave Me Alone”
It has been a long while since I left Gmail, so I’m a bit fuzzy on how Google’s two-factor authentication and app passwords work these days. I know that on Fastmail (the provider I use now), you can control what protocols a given app password can access, and Fastmail encourages you to limit that to only what’s required. I see from the screenshot you posted that Leave Me Alone are asking for an app password rather than your account password, and I would *hope* that they’d stop if a user entered the latter. But that puts the onus on the user being savvy enough to know how to manage two-factor authentication and control access to their Google account and services. And I’d suspect that such a person might not actually need the services of Leave Me Alone.