Google Reins in OAuth User Data Access to Prevent Abuse | eWeek

Google Rolls Out New Measure To Protect Against OAuth Abuse

Google OAuth Limits
Verfasst von
Jaikumar Vijayan
Jaikumar Vijayan
Jun 4, 2018
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Google has introduced a couple of new measures aimed at preventing rogue third-party software from spreading among users of Gmail, Drive and other Google cloud applications. 

Effective immediately, any third-party application that requires Open Authorization (OAuth) to access user data in Google apps will be subject to a daily total new user cap. The cap will restrict the number of new users that can authorize a particular app to access user data in Google apps. Google has also put a limit on how rapidly a particular application can acquire new users. 

“These enhanced protections will help protect our users and create an OAuth ecosystem where developers can continue to grow and thrive in a safer environment,” Google associate product manager Luke Camery explained in a blog post June 4.


OAuth is a token-based standard for enabling limited sharing of protected information between different applications. It enables a user to authorize a third-party application to access their data without requiring any separate authentication for that to happen. 

For example, OAuth is central to a user’s ability to log into a third-party website using their Gmail or Facebook login credentials.  Similarly, OAuth allows users to permit a third-party application or service—such as a cloud file sharing app—to access data in their Google or other account without the need to enter a username or a password. 

While the standard is considered very useful it also has its pitfalls. Last year for instance thousands of G Suite users became victims of a spam campaign when phishers tricked them into granting access to their contact list using a fake Google Docs permission request. Users who followed the links in the phishing email were taken to a legitimate Google sign-in screen where they essentially ended up granting access rights to a rogue application rather than to Google Docs. 

After that incident Google has been tightening some of the controls around its OAuth application environment. Last July for instance, the company began giving users stronger warnings about granting access to applications with which they were not familiar. The company began displaying an “unverified app” screen when users attempted to grant access to an application that was either new or that Google had not yet verified as trusted. 

Today’s announcement builds on those protections by making it harder for an app developer to spread rogue applications via OAuth. With the additional measures, each new or unverified application will now have a limit on the number of users that can grant access to their Google data on a given day. The quota will be based on application history, the developers’ reputation and the kind of data the application is seeking access to, Camery said. The quota limits the number of Google users that the developer of a rogue application can potentially impact. 

The majority of app developers should not be impacted by the change. Developers that expect to be impacted can request Google to verify their applications or they can request the company to increase their daily quota along with an explanation on why they need it. “We will actively monitor every application’s quota usage and take proactive steps to contact any developer whose application is approaching its quota,” Camery said. 

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.