Tuesday, April 3, 2012

I convinced 100s of people to give me their GMail passwords

Honestly, it wasn't intentional.  My goal was just to sync my Facebook Friends with my GMail Contacts.  I tried searching for an app that could do it, but I couldn't find one and so I figured this might be a good opportunity to learn a little about developing with Facebook & Google.  My only intention was to scratch an itch that had been bothering me for a little while, but then it got popular.

My first pass at the app was just for myself so I hard coded my Facebook username & password and my Google username & password.  I figured it would just be for me and running on my machine at home so why bothering making it generic.  Really I just wanted to play with the APIs and get something that worked.  But then the Missus saw it, thought it was cool and asked if I could hook her up too.  I could have continued with the hard coded approach, but now that I had multiple users, it seemed like a good excuse to make it a full fledged Facebook app.

Rather than just have it run on my server at home I could make it an official apps.facebook.com app with a User Interface and everything.  I could use the Facebook login mechanism so I didn't have to hard code my username & password and I could play with all of the cool Facebook APIs.  I was particularly excited about posting a message to my wall every time it synced.  Wouldn't everyone want to see how cool my app was? Every day? Surely they would.

So I whipped it all up.  Whipped is maybe overstating it.  I had a young son and another on the way and a full time job.  I worked on it when I could.  Eventually, though, it was working.  Anyone could sign up as long as they had a Facebook account.  I didn't need to know your Facebook username & password , but the catch was that I did need your GMail username & password.  The site had a nice clean interface (if I say so myself) with the slightest touch of whimsy and a great big text box for your GMail username & password.

I filled it out.  My wife filled it out.  And I thought that would be the end of it.  But a weird thing happened.  Every day the app posted a message to my wall that said that I had just synced my Facebook & GMail contacts with a link to the app.  That's when the questions started.  My friends started asking me: "What is this thing?" "Does it really work?" "Can I try it?"  Pretty soon a bunch of my friends had signed. up.  People who never in a million years would have given me their GMail password if I had asked, were all too happy to type it into a website.  Even though it was a website they knew I made. Then it got even weirder.

I rarely ever checked the logs on my app.  It was working fine for me so I didn't have much reason to care.  Nevertheless, out of curiosity one day I checked the logs and noticed that I had over twenty users.  Wow! Twenty of my friends checked this thing out?  Wow, that's pretty cool.  Then I noticed one of the users was someone I had never met.  Apparently some friend of a friend had seen the app and signed up.  That's pretty cool I thought.

A few weeks later I checked again and this time I had over 100 users.80% of which I didn't know and all of which had given me their GMail username & password.  "This is getting out of hand" I would have thought if I had time to think but my kids were yelling and the bills needed to get paid.

By November of 2011 I had over 500 users all of whom gave me their GMail username & password, the vast majority of whom had absolutely no reason to trust me.  It turns out that I'm not interested in exploiting these fine people but they didn't know that.  They blindly entered their GMail username & password into a website and just like that could have given up tons of personal information and potentially financial information too.

In November 2011, Facebook instituted a new security requirement that all Facebook apps support HTTPS.  This does add some amount of security to your transactions but doesn't really help when you're giving a website your GMail password.  Anyway, I was doing this as a hobby and wasn't really paying attention to new Facebook requirements.  And even if I was, I wasn't about to shell out $100+ for an SSL certificate so that I could be HTTPS compliant.  Especially for a service that I wasn't making money on.  In fact, you could argue that I was losing money on it if you count the time/effort I put into it plus the cost of running my server.  In fact, I wouldn't have even noticed that Facebook had stopped access to the service if people hadn't started complaining to me that the Syncer wasn't working any more.  These were people I never met.  People who had started relying on this service.  It was crazy!

I didn't have time to fix the service so I just let it languish.  I started getting angry service complaints from people who wanted their Syncer but I didn't have the free time to figure out any solutions.  I figured I would let it run so that people who already signed up could continue to sync and not get pissed off at me.

Finally in March 2012 I decided to rewrite the application.  This time my first priority was to avoid having anyone's username or password.  There are actually standards for this and it wasn't terribly difficult to implement but I never thought the app would reach the kind of audience it did.  And that was with all of the odds against it.  The new version of the app doesn't require any usernames or passwords.  It uses the Facebook / Google APIs to let you authenticate with those services directly and my app never sees your personal information.  I also signed up with a service to provide HTTPS so that Facebook will play nice as well.  You can find the new app at https://apps.facebook.com/gmailsyncer.  However, the moral of this story is NEVER GIVE YOUR GMAIL PASSWORD TO ANYONE OTHER THAN GMAIL!


  1. Your app fills a need- that's always good to know, isn't it?! I like to test things and usually I am all, "um, why do you need my password," but I never even thought about it with the Gmail Syncer... you're just to honest-looking.

  2. Lol - thanks Kristina! And thanks for trying out the app! Maybe I need to use my honest-looks to make some money off this thing :-)