Simon Willison’s Weblog

WARNING: Google Buzz Has A Huge Privacy Flaw. Interesting one this: by default, Buzz creates a public profile for you that lists the people you follow—but your default set of followers is derived from the people you contact most frequently using Gmail. This means users of Buzz may inadvertently reveal their most frequent contacts, which is an issue for people like journalists with anonymous sources, unhappy employees seeking new work or even people having e-mail based affairs. # 11th February 2010, 11:30 am

Fixing the Google Account problem. 3,000+ words explaining how to open a Google Doc invitation sent to an e-mail address that isn’t associated with your Google account. Worth reading just to get an idea for the enormous complexity involved in running a large scale identity system and designing an interface for managing aliases and multiple profiles. Google haven’t got it right yet—has anyone else? # 25th January 2010, 11:21 am

Introducing Closure Tools. Google have released the pure-JavaScript library, apparently used for Gmail, Google Docs and Google Maps. It comes with a powerful JavaScript optimiser tool with linting built in and an accompanying Firebug extension to ensure the obfuscated code it produces can still be debugged. There’s also a template system which precompiles down to JavaScript and can also be called from Java. # 6th November 2009, 7:33 am

How to avoid ads in gmail. “After extensive testing I’ve discovered you need 1 catastrophic event or tragedy for every 167 words in the rest of the email.” # 31st July 2009, 1:40 am

The Anatomy Of The Twitter Attack. Long-winded explanation of the recent Twitter break-in, but you can scroll to the bottom for a numbered list summary. The attacker first broke in to a Twitter employee’s personal Gmail account by “recovering” it against an expired Hotmail account (which the attacker could hence register themselves). They gained access to more passwords by searching for e-mails from badly implemented sites that send you your password in the clear. # 20th July 2009, 12:55 am

Find Your Friends. Flickr have added a characteristically classy friend import feature, pulling from Gmail, Yahoo! and Hotmail address books without any unhygienic password sharing. It’s a crying shame that the Yahoo! contacts API they are using isn’t available outside the company. # 1st April 2008, 1:01 am

David Airey: Google’s Gmail security failure leaves my business sabotaged (via) Gmail had a CSRF hole a while ago that allowed attackers to add forwarding filter rules to your account. David Airey’s domain name was hijacked by an extortionist who forwarded the transfer confirmation e-mail on to themselves. # 26th December 2007, 12:16 pm

Gmail Greasemonkey API (via) The new version of Gmail includes API hooks for Greasemonkey script authors. The documentation is by Mark Pilgrim, author of Greasemonkey Hacks. # 7th November 2007, 10:38 am

Mailplane (via) A commercial OS X Gmail client built around a site-specific browser. # 25th October 2007, 7:57 am

The password anti-pattern. What I don’t understand is why Google / Yahoo! / other webmail providers haven’t just deployed a simple OAuth-style API for accessing the address book. Sites have been scraping them for years anyway; surely it’s better to offer an official API than continue to see users hand out their passwords? # 12th October 2007, 9:25 am

identity-matcher. Dopplr’s social network importing code (for Gmail, Twitter, Facebook and sites supporting Microformats), implemented as a Rails ActiveRecord plugin. # 4th October 2007, 2:53 pm

WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks. # 27th September 2007, 1:55 pm

Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge. # 27th September 2007, 10:29 am

Google To “Out Open” Facebook On November 5. “Google will announce a new set of APIs on November 5 that will allow developers to leverage Google’s social graph data. They’ll start with Orkut and iGoogle (Google’s personalized home page), and expand from there to include Gmail, Google Talk and other Google services over time.” # 21st September 2007, 11:23 pm

Never use a warning when you mean undo. The abundance of “undo” is one of my favourite things about Gmail. I wonder if there’s anything Django could do to make implementing undo functionality easier... # 17th July 2007, 11 am

Gmail and Django. I’d never considered using Gmail to send e-mail from applications, but it could be a useful way of avoiding having outbound e-mail falsely flagged as spam. # 2nd July 2007, 9:46 pm

Importing your social network from other sites. Dopplr now does this from GMail, Twitter, vCard or hCard and XFN. I’m convinced that contact import is a killer app for OpenID. # 26th June 2007, 1:46 am

Gmail Atom feeds. Could be useful as a pipe for creating an e-mail interface to an existing Atom-consuming application. # 16th January 2007, 2:50 pm

Offline Gmail and Blogger Using the Dojo Offline Toolkit. These are just mockups at the moment, but they’re a useful illustration of how offline browsing modes for Web applications could work. # 10th January 2007, 12:40 pm