/ securityprivacyapi

When you close an online account, don't forget to check any other connected accounts

I was closing out an account on a website I no longer use, when I recalled that I had connected a few of my other online accounts to it. You've probably done the same - to make logins easier or to allow a site to tweet on your behalf. Wondering if it would disconnect from my other accounts after I closed it (but doubting it), I double-checked afterwards. Nope!

I'm not surprised. There's a huge incentive for them to request access to my other sites, and absolutely no incentive to disconnect from them when they're done. If you're wondering what an API is, you might want to read this - or just know it's a way to make a service more accessible to anyone who might want to consume it in their own service. So a company writes a nice little interface (the API) that defines some functions for the service they provide, like "get user's email" and "get user's friends", or "update user's profile" and "post update on user's behalf", or for a social media site maybe "follow new account". In order for a site to provide access to that API to another site though, they need to get your permission to do so. That's what that "approve" box is all about.

stackexchangeauth

This stuff is useful and convenient in the right hands, but potentially damaging in the wrong. Because of that, you really don't want other sites to keep any level of access to your accounts when you're done with them. And as I found out, don't assume that closing an account will close those connections to. You may not be able to login to the site anymore, but they still maintain a valid connection to the other sites you previously gave them permission to access, and until it's revoked they could in theory take advantage of that. They could continue reading changes to your email address, following new friends, posting updates to your account, etc, etc - whatever you gave them access to... an important reason to pay attention to the permissions they requested in the first place.

It's a good idea to occasionally audit your various sites - especially popular ones like Google, Facebook and Twitter - and clean things up. If you can't find the appropriate settings page for an account (sometimes they're buried kinda deep or named funny), I've started a list on GitHub that may help. If you don't find it on there, but you discover it later on, feel free to create a pull request to add your findings! You'll be helping others stay more secure too.


Grant Winney

Grant Winney

I write when I've got something to share - a personal project, a solution to a difficult problem, or just an idea. We learn by doing and sharing. We've all got something to contribute.

Read More