undefined | Better HN

0 pointsjgalt2123y ago0 comments

Yes, that's the way it works. But what's stopping a bad actor from putting up a bogus "Sign in with Google" form on their website solely to harvest credentials?

0 comments

4 comments · 2 top-level

mukesh6103y ago· 1 in thread

I'm confused. In your first comment you seemed to refer to legitimate sites harvesting credentials using Google SSO (whatever that means)

Now you're talking about phishing sites.

Can you clarify which kind of websites you're referring to?

jgalt212OP3y ago

I was always talking about bad actors (i.e. phishing sites).

joshuamorton3y ago· 1 in thread

What credentials could they harvest?

If I'm asked to sign in with google via oauth, I never type in my password (or username!).

funstuff0073y ago

true, but that's only the case if you're currently authenticated with Google. Not true after deleting cookies and/or local storage. But more importantly, less savy tech folks might not be aware that they should not have to re-enter credentials if they have recently logged into gmail or other google owned services.

j / k navigate · click thread line to collapse