15

(Sorry if this is too basic, I'm not a web dev)

When a third-party web site offers you to "sign in with Google", what risks are you taking: Are you just giving it (the third party) your name and gmail address, or are you giving it anything else just by signing in?

MWB
  • 524

3 Answers3

7

As @Tetsujin mentions, you share personal data with Google they would not otherwise have. You also share with the other account information from Google that they would not otherwise have.

Another risk is that you have inserted a dependency of requiring that particular Google account to access and use your other account. You lose access to your other account if you lose access to your Google account, or the other account stops supporting Google sign-in, or if Google drops that other service due to legal / political / other issues.

If your Google account gets hacked or breached, you put the other account at risk.

If you use sign in with Google on a lot of other accounts, you have a pretty large single point of failure.

pseudon
  • 363
  • 1
    Many of these risks would also seem to apply if I create a separate account on that website and enter a Gmail address there. Then too I am telling Google I am registering on that website (because they send me a confirmation email), anyone with access to my Google account can reset the password, and I lose access to my account if I forget the password and no longer have access to my Google account. Am I mistaken in any of these points? – wonderbear May 01 '23 at 17:50
  • 1
    @wonderbear: Note that "if I forget the password and no longer have access to my Google account" is now two faults; it is "single fault tolerant". Whereas "login with Google" has a single point of failure. – Ben Voigt May 01 '23 at 18:26
  • If you register with a Gmail address, Google only gets sender, subject, or contents if they scrape your emails, something they claim not to do for ads / personalization. – pseudon May 01 '23 at 23:15
4

When you click on that button, it will redirect to Google's sign in page, and once you sign in, Google should show you what information of your Google account is shared. Some websites might also allow you to enable/disable the sharing of certain info.

Most social media apps should just need name, email, avatar. Other apps might need more depending on what they do/want.

charlesz
  • 311
  • Strange. I just did it, but I didn't see any permissions menu. – MWB May 01 '23 at 07:07
  • "When you click on that button, it will redirect to Google's sign in page" is how it is supposed to work. However you as the website visitor have very little recourse if the webpage spoofs the sign-in page instead of using the genuine Google one. – Ben Voigt May 01 '23 at 14:11
  • @BenVoigt You can check the URL. – charlesz May 01 '23 at 17:29
3

I would consider the main 'risk' being that by using the service, you are contributing your personal 'interest list' to an organisation whose entire raison d'être is to sell targeted advertising to 3rd parties.

I would see that as sufficient reason to never use this type of service.

Tetsujin
  • 49,589