As of October 5, automatic OAuth 2.0 token revocation upon password reset

Google announced a change to its security policy to increase the account security that includes the OAuth 2.0 token revocation upon password reset.

Google has finally announced a new OAuth 2.0 token revocation according to its security policy, the company will roll out the change starting on Oct. 5.

The change to the Google security policy was announced last year by Google, the company explained that OAuth 2.0 tokens would be revoked when a user’s password was changed.

Google decided not to move forward with this change for Apps customers and began working on a more admin-friendly approach.

The company has implemented the OAuth 2.0 authentication protocol in 2012 with the intent of boosting the security of its services like Gmail and Google Talk.

Google aims to improve users’ security limiting the impact on the usability of its application, at least in this first phase so although initially planned for a wider set of applications, the OAuth 2.0 token revocation rule will be limited to the email mail service.

Google confirmed that the App Script tokens and apps installed via the Google Apps Marketplace are not subject to the token revocation.

“To achieve the security benefits of this policy change with minimal admin confusion and end-user disruption, we’ve decided to initially limit the change to mail scopes only, and to exclude Apps Script tokens. Apps installed via the Google Apps Marketplace are also not subject to the token revocation.” reads the Google announcement. “Once this change is in effect, third-party mail apps like Apple Mail and Thunderbird―as well as other applications that use multiple scopes that include at least one mail scope―will stop syncing data upon password reset until a new OAuth 2.0 token has been granted. A new token will be granted when the user re-authorizes with their Google account username and password.”

After the change will be effective, third-party mail applications that include at least one mail scope will no longer sync data when the user password is reset. The data syncing will start again after a new OAuth 2.0 token has been granted.

The change will impact also mobile users, it will affect for example mail applications. The Apple iOS users who use the mail application included in the mobile OS will have to re-authorize it with their Google account credentials when they change their password.

This is nothing new for Gmail apps on both iOS and Android the already require to grant a new OAuth 2.0 token upon password reset, but Google will enforce the change also to third-party apps.

For further information on the new OAuth 2.0 token revocation rule give a look at the post published by Google that includes also a list of FAQ

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – OAuth 2.0, security policy)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.