Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There’s a big difference between password reset rules, and giving third-parties access to emails and calendar.

There is nothing draconian about restricting IMAP - any app could exfiltrate confidential emails once granted access. It’s a very sane rule to disallow everything except webmail or first party apps.



It's a terrible process for the users. And as we can see what did it get them, a third party logging into there webmail.

The service is protected with a username and password, didn't matter if it was IMAP or webmail.


An employee who redirects company emails to get around a security rule becomes an ex-employee very quickly.


Of course it does matter! Webmail is quite restricted and optimized for viewing and replying to emails. IMAP is great for that, while also facilitating exporting (exfiltrating) the entire mailbox.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: