Yesterday I mentioned one of my favorite Google gadgets and today I’m going to talk about my least favorite gadget.
There is a lot of sensitive information stored in a persons Google account. Adsense, Analytics, Adwords, and the list goes on. If I were a Phishing scammer, a Google login would be almost as good as bank account information. Maybe even better as stealing money from a bank would draw the attention of the FBI. I’m not sure how much action I could get on a stolen Google account.
So why in the world is Google letting people add Google gadgets to the gadget directory that ask for Google account username and passwords? Take the Your AdSense Revenue @ iGoogle gadget for example. Based on the notes on the gadget page, the source code of the gadget, and the information found on the gadget publishers website, I would say there is a good chance this is a phishing scam. If a person was to do a normal gadget search and add that gadget to their iGoogle homepage without clicking on the gadget detail, it looks very official.
I know some will say people should be more careful and not give out their Google login information to any third party. That warning flies out the window though when the page where the login information is being asked for is actually on Google.com. The majority of web users, even experienced ones, could easily be fooled by such a gadget as there is no clear warning that the login information is being sent to some random website and not being used solely by Google.
If someone wanted to get really evil and sneaky they would create a similar gadget to the one above, but make it for some random Google service like webmaster tools, analytics, ect. A service that is not involved with any monitory parts of a Google account and therefore easier to convince people to submit login information for. The same login of course gains access to Adsense and Adwords.
Google has a responsibility to fix this loophole. Gadgets should not be allowed in the directory that ask for Google account information. There is an API for that. They should also make it “very” clear to all users who add Gadgets asking for login information to any service, that the information submitted is sent to an unknown 3rd party and is not stored at Google.