Are there any plans at all to communicate any updates or information on this ?
Weâre in contact with Google, but I believe waiting to hear back from them. No timeline at the moment.
@cmcheatle are you not able to use the reset password page to create a password for the cmcheatle account and then sign in with your username/email and the new password? Quite a few people are saying itâs working for them.
Unless you tell me there is no longer an option to do so, I prefer to use the Google option.
This is not meant to disrespect inaturalist staff, so please donât take it that way, but the site has a couple of generalist programmers working for them. Google has dozens if not hundreds of world class security experts working for them. The resources, knowledge, code review etc at their disposal are superior to what inaturalist can offer, and I prefer to entrust my security to them
Just hit this problem (im in Australia, if it makes any difference). Surprised to learn its been going on this long.
Has the CAoS got any Silicon Valley types on the board? Can ya hustle them connections and get this train rolling again lol
Google also has a lot more motivation for someone to hack it though, versus inaturalist, because itâs a huge target and also has all sorts of financial and personal info well beyond what iNat has. So Iâm not sure how that tradeoff really balances out. On the other hand, if someone hacks your Google account I doubt theyâll be using it to log into iNat.
Google has never been successfully hacked (someone guessing or brute force determining an account password is not the same thing as being hacked).
@tiwane if a user creates a standalone account to deal with this, and the Google issue is then resolved, can that account and login be removed from the site without causing the loss of all your data.
that we know of. And of course you have to trust google which i do trust for a lot of things but honestly, trust way less than I trust Ken-Ichi, Scott, etc. But⌠I am not trying to say your decision is wrong at all! And Iâve kind of accepted Google as an overlord anyhow.
Any hacker who broke into google would be crowing (sly nature reference) like crazy about it. Google may or may not try to hide it, but the person who did it would be claiming it all over the place for the cred.
really? i think it would be super powerful to just lay low and use the data. it depends on what sort of hacker and why. But sorry⌠i am roaming way off topic here. Hopefully this issue is fixed for those who want to log in with Google.
Assuming you successfully hack someone, eventually you need to do one of 3 things before the company figures it out and closes the hole, use the data, sell the data, or contact the company and try and either extort them or collect a bug bounty. For the folks skillful enough to hack a company of that size, just having the data sitting on their hard drive does nothing.
whoâs to say they arenât using it?
Iâve got the same issue.
Logging in with my gmail credentials via Firefox from Southeast Asia generates the error with no other content on the page. Logging in using my inat password works fine.
1 Like
FYI, Iâm working on this, but Iâve had some trouble getting non-robotic support from Google and clarity on whether they need us to verify ownership of domains or merely of content at URLs. So far I think itâs the former, which would mean we could probably get this resolved for inaturalist.org in the next week, but getting it to work for partner sites like inaturalist.ca and naturalista.mx will take a lot longer (these domains are owned by partner organizations so we at iNaturalist / CalAcademy donât legally own them, and proving âownershipâ to Google will require getting all of the partner orgs to make some fussy DNS changes).
Believe it or not, they are also requiring us to change the design of the âSign in with Googleâ button. Oi.
2 Likes
@kueda Ken-ichi, can you comment on the question I left for Tony, if a standalone account is created in the interim, when this is resolved, can it be deleted without the cascading delete of all data? I dont believe there are any user facing tools that allow this.
If a redesign is needed, I assume we are talking weeks if not months before this can be resolved between design, coding, testing, translation etc.
It can but Iâd much prefer that people not do that. If youâre locked out of your account because you have always signed in with Google and have never created an iNaturalist password, the best remedy is to go to https://www.inaturalist.org/users/password/new, enter the email address associated with your Google account, and use the link in the email you receive to create a password. Then you can sign in with your iNat credentials instead of your Google account. Since you seem to be worried about security, use a password that you donât use anywhere else (really everyone should do this). If our security is compromised to the point that people can hijack user accounts, I seriously doubt having or not having a password on iNat will provide any amount of protection. For what itâs worth, almost all of the security issues weâve had to deal with through updating third party dependencies have to do with the signing in with another siteâs credentials, so if youâre trying to be very cautious about account security, Iâd focus that concern on the fact that you sign in with Google.
4 Likes
Today in tech absurdity:
They are seriously asking us to provide a video of functionality that doesnât work because they disabled it. Excuse me while a find a literal wall to slam my head into.
7 Likes
Is there any update on a fix? I find this error rather embarrassing to iNaturalist, it sends the message of being a fraudulent app that Google doesnât want its users to go to.
I can now sign in with Google again. Whatever youâre doing behind the scenes is working :)
I still canât 
Hey Ken-ichi! Thanks for slamming your head into walls for us on this - those of us frustrated by not being able to log in for the past 3 weeks really appreciate your efforts!