Every day we see options to sign in with Google, Twitter, or Facebook. Those buttons save us a ton of time by allowing us to click and log in—plus we don't have to remember another damn password! Developers usually have control over what type of access they need and many of these services ask for read access to your email account. Maybe they actually need it for their service (such as an email client) or maybe they dont. Regardless, this is dangerous and scary.
If you think about types of email you receive, it probably contains bank statements, receipts, invoices, bills, spam (ugh), a photo you've been tagged in, a tweet someone liked, and maybe a few messages from your friends or family. This is a good picture of what my email inbox looks like on a daily basis. Email is a pretty important piece of the security puzzle. With all of this information I could sell ads that you're more likely to engage with, but I could also do a bunch of other stuff. I could build a profile about you, I could learn how much money you have or don't have. A bad actor could gain access to all of your accounts.
Email is incredibly valuable. It's a trusted identity resource used for forgotten pasword emails. You know the kind: you forget your password, type your email in the box, and boom—you've got a link in your inbox that magically let's you choose a new one.
Well imagine if someone had access to your email? They could easily reset all of your passwords and gain access to your bank account, your facebook, twitter, and whatever else you signed up for. It's literally that easy. Now there are a few ways to protect against this (two-factor auth), but we're not done yet.
What if you deal with tax forms, contracts, or personal information?
Giving full access to your email is giving them the keys to the kingdom. Don't do it, there's always a smarter way. Make sure you read what they're asking for. If it's meta data, that's much less scary and they can't crack into the juicy meat: your email contents.
Just make sure it doesn't ask for full email access. Something like this is a much safer alternative. In this example, Pickle CRM cannot read any of your email contents.
Stay safe out there!