It has been a while since I logged onto the Smartthings IDE Site. I was having some trouble using my Samsung account (even though I have a legit Samsung account). So I decided to click on the Google link at the bottom and it linked to my Google account. It logged me in and I was able to access everything.
A few minutes later, I got a notification on my phone asking to confirm if it’s me trying to recover my Google account, and the location was somewhere in India… Of course I blocked that attempt.
Very shady. Are the Smartthings developers in India trying to hack into users Google accounts? This is very disturbing and I want to share that here. Makes you wonder what else they’re doing with your IoT devices, cameras, etc.
tgauchat
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy)
3
There is no Google link at any SmartThings or Samsung operated website.
You either went to the wrong website, or were being asked to login to Chrome (to sync your browser settings), or being asked to login by some legitimate or illegitimate browser extension.
I think what he meat by google link is when you login in with the Samsung account, there is an option to sync in with the gmail account instead of typing username/password. That’s how i do it all the time, and my understanding of OP’s “google link”. I’m sure he will be able to shed some light.
On another note, i reached out to smartthing support and the person who i am dealing with seems to be located in India, and been very helpful.
Hmm that’s scary about a phishing site. That explains why despite typing in my Samsung credentials (happens to be a gmail account) many times it still said my password was incorrect. Then there was that mysterious “Log in with Google” link at the bottom. I clicked on it, typed in my Google password and it worked.
Worst case is they captured my Samsung account password, or even my Gmail password. Luckily I can still log into both. I’m going to change those passwords just in case.
1 Like
tgauchat
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy)
6
Really? I’ve never seen this option for Samsung / SmartThings! Perhaps my ad blocker hides it. … No; I think I have ad blocking disabled for Samsung. So … that’s strange. I wonder who is given the option and who is not. Either that, or it is not really a Google login and it’s an extension hack?
Using confederated logins is convenient, but has certain risks. If you check the URL of the login flow to be sure it really is going to Google, then there is no risk of leaking your password.
However, if your Google password does get compromised somewhere, then all of the sites where you use Google for login might be accessible.
I don’t think it’s necessary to panic or be paranoid here: Google Login as an option is quite prevalent, but I’m still confused. Are you sure it’s not just login for the Community?
