You might have noticed the unfortunate mechanism of retrieving your Google Mail contacts by site asking your for your Google username and password. Apparently this is on of the nightmare of every person just a little into security, aren’t you not just able to retrieve the Google addressbook but also have access to all sorts of services of that person such as AdSense and so on.
Now Google listened (or watched) and released the Contact Data API yesterday which enables 3rd party applications to retrieve that kind of data without the need to ask the user for a username and password. With this API these applications can create, ead, update and delete contacts (if the user gives permission to do so).
How does that work?
Instead of the 3rd party application itself asking for the username and password, it asks Google to retrieve that data. Google then uses the AuthSub mechanism to ask the user themselves to login if they aren’t already logged in and asks afterwards if it’s ok for that 3rd party application to access this data. You can read the details here. This makes the process of retrieving that data far more secure as no username/password needs to be shared with that 3rd party app.
So this is good news as it should fix one common security hole in the social networking scene. Of course it depends how fast those networks update their sites and of course it does mean the problem remains for the rest of the email providers out there. But a start is made and that’s good.
Even better of course would be some solution on an open standard such as OAuth. But well, big corporations, you know…
BTW, as Linden Lab wanted to match new signups with existing ones (hopefully via opt-in) this might be quite useful for them to implement.