Garett Rogers noticed a new option in the chat widget from the experimental iGoogle: invite friends to Google Talk. Unlike the similar feature from Gmail, iGoogle provides a simple way to import your contacts from Yahoo Mail, Hotmail, AIM and send mass invitations. The problem is that Google asks the username and password for a third-party email account, instead of using the APIs provided by Yahoo and Microsoft.
Google explains that it doesn't keep your username and password, but it's a really bad practice to teach your users to type their credentials on third-party sites. "Big internet companies stand to lose the most from widespread abuse of the anti-pattern, because they're the ones most likely to be targeted by phishers," says Simon Willison.
It's ironic that Google has a Contacts Data API and the introductory blog post has the following message:
"Have you ever been on a web-site that asked you for your Google username and password so that it can import your Gmail contact list? Did you think twice before giving out that information, hoping the web-site would not use it to access your credit card information stored with Google Checkout? Now you don't have to! We're happy to announce the availability of our Google Contacts Data API that gives programmatic access to your contact list. (...) We hope that APIs like this one mean you will never have to give out your username and password to other sites again. Please encourage all sites you use to switch to this API for accessing your Google contact data."
Flickr heard Google's message and it uses the contacts API to import the address book from Gmail. This way, Flickr doesn't have access to your password and it can only use a small portion of the data stored in your Google Account.