July 13, 2010
Some Gmail users have noticed that their Gmail accounts have been accessed by systems whose IP addresses resolve to an IP address block in use by Amazon Elastic Compute Cloud (Amazon EC2). Amazon Web Services (AWS) has investigated several of these complaints; finding them to be cases where an end user implicitly granted third-party access to their Gmail account. A typical example: a user signs up for a social networking site which offers the option to import the user’s Gmail contacts – if the user provides his/her Gmail account credentials. The social networking site, which is hosted on Amazon EC2, will then log into the user’s Gmail account to retrieve the user’s contact list. The Amazon EC2 IP address assigned to the social networking site is recorded by Gmail. The social networking site may do this regularly to keep the user’s social networking contacts up-to-date. Gmail records the social networking site’s Amazon EC2 IP address as it continuously accesses the user’s Gmail account.
End users should be aware that providing account credentials to any third party is not without risk and should be carefully considered before doing so.