We have been contacted by a user who has concerns about the link setup procedure between SmartGit and Bitbucket (Preferences, Hosting Providers). While the procedure is actually inscrutable on first glance, following it step-by-step we can see that it’s safe with respect to the protection of your Bitbucket account:
As you can see from the Request Access Token dialog, your browser will directly open a bitbucket.org Link. If you prefer, you may copy&paste the URL yourself to your browser.
The URL is about OAuth authorization and specifies two parameters client_id and response_type which we can assume. We can assume that client_id is pretty much what it says: the Client ID of SmartGit – otherwise that would be a significant design flaw of the Bitbucket API for such a central end point. We can also assume that Bitbucket is very much interested in telling you exactly for which access rights the OAuth request is asking and that it would warn you about strange requests, to protect its users from malicious applications.
After confirming access, Bitbucket will pass an authorization code to Syntevo’s website. Again, we can assume that whatever this token is, Bitbucket considers it safe to pass on to the requesting application (the detour over syntevo.com is necessary because Bitbucket can’t pass the token directly to your running SmartGit instance).
The authorization token is short-lived and single-use; this especially means that once you have successfully authenticated, you can be sure that the token can’t be used anymore (e.g. by some attacker who could have gained control over the connection between bitbucket.org and syntevo.com or over the connection between syntevo.com and your browser).