How can I know for sure that this Google Sign-in is legit?

I'm using https://addons.thunderbird.net/en-US/thunderbird/addon/gcontactsync/ in Thunderbird to sync my contacts with Gmail. When ran, the extension asks for a token refresh and pops this window:

There is no address bar and no url anywhere. If I right-click, nothing happens. The font is not right.

So: this is a pretty high-rated extension but, never the less, I feed very uncomfortable entering my credentials in this window.

I can I know for sure that this is a legit window and not a spoofed one? Should I run Wireshark and inspect packets or does an easier solution exist?

Dr. Gianluigi Zane Zanettini

Posted 2019-04-26T14:19:56.460

Reputation: 1 227

1It's almost certainly going to send your credentials to their server, and also send your contacts there. The server needs them so it can login to your Gmail account and merge the contacts. There's no way for you to tell what else the server might do with this -- when you use a third-party add-on you're trusting them. – Barmar – 2019-04-26T18:23:01.450

The official extension page states that the syncing is done locally. The popup should only be needed for an API token access. Do you have any proof of the contrary? – Dr. Gianluigi Zane Zanettini – 2019-04-27T19:16:38.113

1No, I was just assuming that a Gmail API was involved, and these APIs usually can't be accessed directly from clients. – Barmar – 2019-04-29T17:20:19.983

Do you have any adblocking proxies/addons/whatever enabled? – Daniel B – 2019-05-16T12:38:52.887

Answers

You can find reviews of the gContactSync add-on on the Thunderbird Reviews for gContactSync page. While most reviews seem very positive, there are also many negative ones. A new version seems in the making, as tweeted by the developer Josh Geenen.

However, it seems to me that you could also use the Google Contacts add-on for syncing contacts, without using a third-party add-on. Google Contacts is described as:

Access bi-directionaly to Google contacts via address books. This extension detects gmail accounts which have already set up and creates address books for each of them. Cards in the address books are synchronized with Google contacts; they represent the current Google contacts contents and Google contacts will be modified when you modify the cards. TB's mailing lists and Google's contacts groups are synchronized in the same manner.

A description of the installation and limitations of Google Contacts are listed in the article How to Sync Thunderbird & Gmail Contacts, where some warnings are listed:

Thunderbird can only synchronize its contacts with Gmail if you have added your Gmail account to the program's email accounts list.

You cannot synchronize contacts that are created while the program is in offline mode.

harrymc

Posted 2019-04-26T14:19:56.460

Reputation: 306 093

Thanks man! Unfortunately I understated that Google Contacts add-on is abandoned and doesn't work anymore. Did I get it wrong? – Dr. Gianluigi Zane Zanettini – 2019-04-27T19:18:55.273

It may be no longer be developed, but that doesn't mean that it does not work. I myself still use old add-ons that are no longer even on the add-on website. But if you would rather use gContactSync, I have not found any indication that it's harmful in the reviews or that it collects your credentials. Read the reviews if you would like to check up on it. – harrymc – 2019-04-27T19:27:27.723

Google contacts is also a third party add-on, and hasn't been updated for all the incompatible changes Thunderbird has made with their APIs. – LeftoverPi – 2019-05-16T12:25:30.823

I'm the author of gContactSync. The code is open source on GitHub and you can use Wireshark to verify the behavior. The OAuth client ID and "secret" are in the add-ons source code, so it directly contacts Google for authentication. You can research OAuth 2 for more details.

Your password is never handled by my site or add-on. I'll write an issue on github to improve the window. I've been planning to copy Thunderbird's OAuth dialog for Gmail.

Source: Improve the OAuth dialog

LeftoverPi

Posted 2019-04-26T14:19:56.460

Reputation: 101

1Thanks for posting this. It sounds like the issue is that the token window isn't polished, as one would expect from a highly-rated program. That led the OP to question whether it was actually part of your app, or someone had spoofed it. Clarifying that it is actually what your dialog window looks like would address the underlying question. And based on the feedback of a potential user being afraid to use your app because of this, it might be worth polishing that window so it looks more official. (cont'd) – fixer1234 – 2019-05-16T17:28:09.470

1For that matter, the app link lists Josh Geenen as the author, which doesn't match your site user name. So how can people know that you aren't a hacker who spoofed the product and then posted this reassuring answer? :-) – fixer1234 – 2019-05-16T17:28:15.013

I'll write an issue on github to improve the window. I've been planning to copy Thunderbird's OAuth dialog for Gmail. – LeftoverPi – 2019-05-30T01:21:59.513

https://github.com/jdgeenen/gcontactsync/issues/133 – LeftoverPi – 2019-05-30T01:24:05.320

1@LeftoverPi - I went ahead and took a screenshot of the issue you submitted. Feel free to play around with the wording. This allows users to view the issue, verify the author of the add-on plans to improve it, allowing them to come to their own conclusions quickly. The point of this edit and my comment, is to highlight the fact, Important information should be contained in your contributions instead of comments – Ramhound – 2019-06-01T14:07:01.870