[SOLVED]Google script must be allowed to sign into Imgur

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
IMB4U
Junior Member
Posts: 30
Joined: Wed Jul 15, 2009 11:08 pm
Location: USA

[SOLVED]Google script must be allowed to sign into Imgur

Post by IMB4U »

Question:
I have an Imgur.com account and sometime this year, Imgur has allowed Google to run a script on its site when signing into your account with your password. At first, I couldn't understand why I couldn't sign in because I knew I was typing my username and password correctly. Then I looked at NoScript and saw Google.com was listed, and even though I didn't want to allow it, I figured I had no choice and so allowed it to run. I was able to sign in. I immediately looked at NoScript and saw that Google.com had disappeared from view...just after I signed in.
Today, I double-checked and you still must allow the Google.com script and it still disappears immediately after signing in.
Can someone explain what this is all about? Is Google getting our passwords?
Last edited by IMB4U on Tue Jun 30, 2015 8:33 am, edited 1 time in total.
Windows 8, Professional, 64-bit/4 GB Ram/Pale Moon 25.5/ NoScript, Adblock Plus, Better Privacy; Super-Antispyware (free), Malwarebytes Anti-Malware (free), Spyware Blaster (free), WinPatrol (free)
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.5) Gecko/20150607 Firefox/31.9 PaleMoon/25.5.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Google script must be allowed to sign into Imgur

Post by barbaz »

I can't, at least not right now, but maybe someone who has the.. er.. whatever it is that it takes.. to look through minified code can do that and give you the answer?
It's this script:

Code: Select all

https://apis.google.com/js/client:platform.js
which loads one other script from apis.google.com whose URL I'm not posting here because it appears to contains personal information about me.

If you don't want to allow that script, why assume imgur sign-in wouldn't work without it, why not even try without?
(Now the googleapis.com script is a jquery library, which is almost certainly required... if you care, there are instructions elsewhere on this forum how you can avoid allowing that while not breaking sites that require it.)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
IMB4U
Junior Member
Posts: 30
Joined: Wed Jul 15, 2009 11:08 pm
Location: USA

Re: Google script must be allowed to sign into Imgur

Post by IMB4U »

@barbaz Thanks for your reply.
If you don't want to allow that script, why assume imgur sign-in wouldn't work without it, why not even try without?
Maybe I wasn't clear in the words I used to describe my situation, but I did try to sign in first without allowing Google. I will elaborate some more...

In April or May, I went to Imgur and tried signing in as usual.
At that particular time, the words flashed on the screen that I had used the wrong password.
I tried several times more, each time carefully watching each character I typed, but each time, I was told I was using the wrong password. I finally checked NoScript and saw that a new script had been added, which was Google.com. I realized I probably had to allow the Google script to run in order to sign in. There was also a gstatic script listed, but I just allowed the google.com script, typed my username & password again, and I was allowed into my Imgur account.
I then quickly looked at NoScript and saw that the google.com script had vanished...it was no longer displaying in NoScript. It only displayed "before" signing in.

Before coming here to the forum today, I double-checked to see if the google.com script was still necessary to allow in order to sign into Imgur, and it was...
I typed my username and password,
BUT THIS TIME, instead of telling me I had used the wrong password when clicking the words SignIn, NOTHING happened.
I then allowed the google.com script to run, retyped everything and was able to sign in. Once again, after signing in, I looked at NoScript, and the google.com script had disappeared. It only shows before you sign in...once you type your password, it disappears from NoScript.

I don't understand a lot about scripts and I somehow thought that all scripts on a web page that you need to use passwords on could grab your password. Am I right or wrong :?: Also, even if Google is not getting our passwords, what would be the purpose of it running a script only during the process of entering your password and then disappearing?
Windows 8, Professional, 64-bit/4 GB Ram/Pale Moon 25.5/ NoScript, Adblock Plus, Better Privacy; Super-Antispyware (free), Malwarebytes Anti-Malware (free), Spyware Blaster (free), WinPatrol (free)
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.5) Gecko/20150607 Firefox/31.9 PaleMoon/25.5.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Google script must be allowed to sign into Imgur

Post by barbaz »

IMB4U wrote:I don't understand a lot about scripts and I somehow thought that all scripts on a web page that you need to use passwords on could grab your password. Am I right or wrong :?:
You are correct that it's possible in theory, but generally it wouldn't happen in practice unless the script is malicious or something like that.
IMB4U wrote:Also, even if Google is not getting our passwords, what would be the purpose of it running a script only during the process of entering your password and then disappearing?
My first thought on reading this was that it's part of Google's recaptcha system, but on actually going to the site I have no idea... maybe imgur is allowing people to sign in with a Google account as well but they haven't designed their scripts to work without that for those who don't have a Google account? Without analyzing that script, I'd just be guessing, but there are possible legitimate reasons for this.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
IMB4U
Junior Member
Posts: 30
Joined: Wed Jul 15, 2009 11:08 pm
Location: USA

Re: Google script must be allowed to sign into Imgur

Post by IMB4U »

@barbaz: Thank you for explaining things to me. I just felt really uneasy about having to allow Google to run a script while signing into Imgur. The only thing I use Google for is an occasional search...perhaps once in every 4 months or so. :D Again, I really appreciate your assistance...thanx!
Windows 8, Professional, 64-bit/4 GB Ram/Pale Moon 25.5/ NoScript, Adblock Plus, Better Privacy; Super-Antispyware (free), Malwarebytes Anti-Malware (free), Spyware Blaster (free), WinPatrol (free)
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.5) Gecko/20150607 Firefox/31.9 PaleMoon/25.5.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: [SOLVED]Google script must be allowed to sign into Imgur

Post by barbaz »

You're welcome, happy to help :)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: [SOLVED]Google script must be allowed to sign into Imgur

Post by Thrawn »

Should we be devising a surrogate for this?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: [SOLVED]Google script must be allowed to sign into Imgur

Post by barbaz »

@Thrawn: it depends what the script is doing (especially so since google.com is in the default whitelist).
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: [SOLVED]Google script must be allowed to sign into Imgur

Post by Thrawn »

After I allow apis.google.com, it then wants to allow accounts.google.com, so I'm betting on it being part of their Google Accounts integration.

So, it's likely not appropriate for a surrogate, since the real script would be needed to actually make Google login work.

Probably your best bet is to allow full domains - apis.google.com and accounts.google.com - rather than all of google.com
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Post Reply