As with anything that wants my passwords I want to know about the how safe it is to use the gnome-online-accounts [g-o-a] feature (and how it can be exploited). I'm only interested in the Google part of it since that is all that is available at the moment.
I want to understand if it stores my password in any way - I get the impression it uses some kind of token authentication but I don't understand this. Is it possible to steal a password (or similar?) from my computer through g-o-a?
All the documentation that I have found is far too complex for a normal person to understand.
Short answer: You can probably trust g-o-a if you use Twitter, Facebook and Google-accounts and you're faced with a login-page that looks native to those services (e.g. a facebook-styleish login box instead of a GNOME-styleish one). Edit: However, always assume your accounts are compromised. g-o-a might not be the weakest link, but the more links you've got on a chain, the more likely it is that one of it is going to be weak. Always treat your data carefully.
Long answer: Depending on what service you use it either uses a "token authentication" (see http://en.wikipedia.org/wiki/OAuth ) or clear text passwords. The worst case scenario for e.g. Twitter is that someone sends spam with your account, but they won't have access to sensitive data (however, if you store passwords in Chrome/Firefox - that's an entierly different matter) and the "hackers" cannot steal your password or change it. You can just go onto the security settings (on Twitter) and then delete the OAuth-token for your g-o-a.
This is different for different services. On Google (and Facebook), you can specify app-specific passwords if you're worried about your privacy. If these passwords are stolen, you can just delete them.
At the end of the day, exploiting g-o-a might not be that valuable unless you're actually targeting a specific person you know runs GNOME, since most people (I dare to say) stores their passwords in Firefox/IE/Chrome, which both should be less secure and more common - like telling a child not to steal candy from an open candy jar and then go away shopping for an hour.
If you're worried about g-o-a, you should always reset your browsing history (and cookies etc.) in your browser when closing the browser and not running any unofficial Facebook apps etc.