An open letter to Sundar Pichai and Sergey Brin of Google on OAuth 2.0
OAuth 2.0 failed on one occassion
Honestly, I don't know where to begin this article as I am aware how powerful Google is and Google and YouTube have blocked some of my articles until today. OAuth 2.0 failed when my Samsung Galaxy 9 plus motherboard failed. A week earlier I had sent it off for repair as the LCD screen was garbage and I could not make out what was on the screen. Samsung Malaysia would not give me a warranty after repair as I had bought the smartphone overseas. What a shame Samsung. That was when I decided not to allow Samsung to repair my phone and took it to a smartphone repairer. A week later the motherboard died on me.
Before my Samsung smartphone died on me I had tried to login into Google gmail. Google kept asking me to confrm who I am with their OAuth 2.0 technology and was using my smartphone to check if I was the genuine owner of my email account. This is because I tend to clear all cookies and whatever with Spybot Search & Destroy to ensure that any potential threats to my PC could be reduced.
When my phone was failing it would freeze up just before I could click on the answer for the Google question on my phone. This is because I wanted to read my emails on my computer but Google wanted to confirm I am the correct person through my smartphone.
What shocked me was that if I waited a while I would be allowed to login to my gmail account even though I had tried to select the required answer while my phone had froozen. Shocking isn't it.
Could not download backed up smartphone contacts
This was very frustating. My previous android smartphones had always backed up my contacts to my gmail account. Unfortunately, when I changed to an iPhone XS Max it could not download my backed up contacts. I have lost a few hundred contacts at least - wiped out, gone forever. Now I have hardly any contacts in my new iPhone and have to wait for friends to call, sms or WhatsApp me before I can save their numbers. Isn't that bad? I don't think I can depend on Google facilities anymore and have to find alternatives back up plans should Google fail again.
Less Secure Apps Access blocked by Google
When Gogole came out with OAuth 2.0 and classified programs that didn't use OAuth 2.0 as 'Less Secure Apps Access' I cried my heart out. I had written lots of code to block hackers and was giving away my 'Contact Us' form for free so that others could have a 'Contact Us' form on their websites.
Google told us that our email passwords could be seen by others because we were not using SSL to protect our websites. Then they told us that since we were not using OAuth 2.0 our apps would be classified as 'Less Secure Apps Access'.
Initially, I didn't think there would be a fallout and didn't suspect that it would creat more problems for me until I realized that I was not receiving any emails from visitors to my websites. Upon checking I found out the Google had blocked my 'Contact Us Form' from sending out emails as it was classified as a 'Less Secure Apps Access'. That I thought was the height of stupidity from a multi-billion dollar mega corporation. What happened to freedom of speech? What happened to freedom of choice? If I don't want to use OAuth 2.0 should I be blocked from using something else? Have you seen the OAuth 2.0 documentation. It is impossibly difficult to understand and use.
Do you know what was worse? When I installed SSL on my website (now https:// instead of http://) Google still blocked my 'Contact Us Form' from working. It was still considered a 'Less Secure Apps Access' and blocked from sending out emails. It appears they are spreading fake news about hackers and pirates to block other systems from working so that only OAuth 2.0 is allowed to work. Wouldn't that stifle innovation in smaller companies?
I found out that if no one fills up your website 'Contact Us Form' Google will block your 'Contact Us Form' from working. So it appears that every few days or weeks you need to check if your 'Contact Us Form' is working and not blocked. That is a real pain for small time developers, right? Worst still Google does not inform you that your app has been blocked and visitors to your site will get all sorts of SMTP error messages when they try to fill up the 'Contact Us Form' on your website. That is a diasaster for small developers and websites because it frightens off visitors into think your website has been corrupted by hackers and you end up loosing a lot of potential business. Goolge really doesn't care for the small time developers.
A simple solution for Less Secure Apps Access
There is a simple solution for 'Less Secure Apps Access' to work. That is to have a second email password. When you log into your email account with the second password you cannot view or delete any emails. The only think you can do is to send a out an email or two. That will allow 'Contact Us Forms' to work properly and send out emails back to the webmaster or website publisher and the visitor. This simple solution of a secondary password will help many developers of 'Contact US Forms' as there would be no software upgrades required for existing code. Simple and elegant solution.
My own simple solution for Less Secure Apps Access
I have modified and upgraded my 'Contact Us Form' to ensure all emails that were blocked by Google will be saved in the website. Saving visitor messages is brilliant as if your visitor's message fails to be emailed you can still check what messages they submitted. Really it is a Google problem as they have come up with the 'Less Secure Apps Access' which I think has not been thought through thoroughly and penalises small time developers.
There are serious problems with Google's 'Less Secure Apps Access'. One of these problems is that it keeps turning off when not used everyday and blocks email messages. I lost a lot of messages from visitors with this stupid Google function and visitors thought that my contact form was not working properly - Google misleading my visitors. What happens if you only get 1 or 2 visitors per year that fill up your 'Contact Us Form'? Getting very low visitor message submissions through your website's 'Contact Us Form' indicates that no one is trying to hack your system, right? So why does Google block such sites email messages. Google didn't think through throughly their implementation of 'Less Secure Apps Access'. Actually, it was Google that turned off the email delivery of my 'Contact Us Form'. That is why I upgraded ppContactForm to allow messages, that failed to be sent by email, to be read by the webmasters and don't require the use of any emails. The Free No Email Contact Us Form
- Dr. Peter Achutha, 7th June 2021