editione1.0.0
Updated October 9, 2023The last step to protecting your email is to manage and control access to your email by third-party applications.
Third-party access is when you grant permission to your email provider to share access to your information with another service.
Third-party access is coming up more and more as small web applications are popping up and relying on larger identity providers to manage access for them. One of the most common identity providers used is an email provider, such as Google or Microsoft. This is perfectly legitimate, and something we will recommend to you in later chapters when faced with creating a user login function for your system.
danger Third-party access is something to grant carefully and monitor. People can create malicious applications to siphon data from your identity provider if you aren’t checking the permissions you are granting. Attackers can also take control of older third-party systems that are no longer supported, but that might still have access to your identity provider account.
Now is a great time to log into your email provider and check which third parties have access to your account, and what data they can access. For most email providers, you can usually find these under the security section of your account settings.
Figure: Checking devices and services accessing a Google account.
If you see an unfamiliar service or account you no longer need, disable the access. If a service has more data access than you think they need, now is a great time to contact that service and ask why, try limiting the permission if you can, or disable it and try to find a different service to use. For example, it would be perfectly normal for Zoom to have access to your calendar if you allowed it to automatically generate a Zoom meeting ID when you send a virtual meeting invite. It would not be normal for Zoom to need full administrative access to your entire account with your email provider just to perform this function.
It doesn’t matter if you have a lot of third parties with access. It matters more what those services are doing and if they are expected to be there. The minimal amount of access would be to your name and email address, as that would be the information needed to create an account on a third-party site and sign in; this is OK. What is more concerning is when that third party also needs access to read your email, or access your document storage. These are permissions that need to be challenged, because in the wrong hands this could be a perfect way for an attacker to bypass authentication and access your data directly.
You can challenge them quietly by revoking the access and seeing if you can still use all the functions of the third-party account. If it requires that access to work, you can get a bit louder by raising a support ticket, or asking their community why they need that access when it raises security risks. You can escalate further by calling out to your Twitter or online friends to ask for a secure alternative to the application. Sometimes challenging access does result in changes (or at least precedent), like in the case where Goldenshores Technologies, who collected geolocation data without consent via their simple flashlight app, was officially charged by the Federal Trade Commission (FTC). Find a level you are comfortable with, and push back on excessive third-party access.
Now is a great time to go back to the list of accounts you started off with. Like me, you probably don’t have just one email account. Hopefully, unlike me, you have less than five. Either way, don’t forget to protect each of your accounts using this same process.
If you no longer use an email account, you can reset the password to something long and unique, and be done with it. But first, ask yourself a few questions and check through your inbox to see if any of the following apply:
Do important contacts still use this email to contact you, whether that is family, friends, or business contacts?