Saturday, 20 February 2010

Google security problem: have you had this?

Is Google logging people into Google's system randomly with someone else's Google account? How is this possible?

Here's what happened: I started my computer, which I'd set to automatically open a few programs like Firefox.

I went to Firefox and searched via the Firefox search bar (which goes through GoogleSharing) for something I'd posted a query on, to check if anyone had answered the query.

I then clicked the search results link to go to the Google Group entry I was looking for - and was startled to see, at the top of the webpage, that I was logged in as sol[rest of name deliberately deleted]! Which obviously isn't me. See screenshot below (click pic to enlarge):

Like a good citizen, after taking the screenshot I immediately clicked "Sign out". But I suspect that if I'd then gone to Gmail, Google Calendar etc, I'd have been able to view sol...'s private stuff.

I closed Firefox and re-opened it, and then did exactly the same search in exactly the same way. This time, I got what I expected, I wasn't signed in as anyone at all:

I don't know what's going on. I did have some trouble with my computer slowing down terribly this morning, and had to shut it down using the Power button as it wouldn't shut down by itself. I run a full anti-virus and anti-spyware scan every week, but that doesn't mean my computer hasn't been infected. I'm about to run them again.

But, I really don't know what's going on. I'm now really concerned that someone else somewhere else in the world could just go to a Google webpage without logging in, and find that they're already logged in as me. And, being less scrupulous, get access to all my Google stuff, without my being any the wiser.

Has this happened to anyone else? On searching, I see this sort of thing has happened before (and not just with Google Groups), in 2007 there was "isolated bug in our [Google's] interaction with a proxy server in Singapore" and it seems to have happened again with Singapore users in 2009.

But I'm in the UK. Which isn't supposed to have fancy national filtering or censoring software, as far as I know anyway...

Anyway, I'm reporting it to Google but if anyone else has come across this issue, please post a comment. Very worrying.

UPDATE: no, I can't report it to Google, the link that Matt Cutts of Google gave in relation to the previous problems in 2007 just has no category appropriate to this issue! Well I hope someone from Google spots this.

UPDATE 2: with apologies to sol... for not thinking to do this straight off, I've obscured the second half of their name in the email address, and also in the screenshot, so that spambots etc don't pick up their email from this blog post.

UPDATE 3: Also, Moxie Marlinspike of GoogleSharing is looking into whether it might be to do with GoogleSharing. The person concerned has confirmed that they don't use GoogleSharing so it's not a GoogleSharing issue.


Anonymous said...

There were reports of similar things happening on some cell networks. In that case wireless orovider had a bug forwarding wrong cookies to Google servers, effectively giving them access to random other accounts. The moral of the story is: your isp and everyone in between can steal your identity if you are using unencrypted http. You need to use https for all connections. I believe gmail switched to https by default (and got in Irans bad book immediately) and since each connection resends the cookies, you would likely not be able to read someone elses mail.

phydeaux3 said...

There was a similar case last month here in the States involving AT&T and Facebook. Anonymous might be thinking of this -

Weird AT&T Glitch Allowed Users To Access Other People's Facebook Account

My guess would be something similar, but the fact your search went through googlesharing might complicate things a bit further.

It would be interesting to find out if the account you popped into is a user of the same ISP/Network you are. Maybe a polite email pointing them to your post and asking them?

Improbulus said...

Thanks Anon and phydeaux3.

I logged in on a desktop computer connected via Ethernet to my ISP-supplied router, not over a mobile network, but I still had that issue.

I've asked Moxie Marlinspike if it could be to do with GoogleSharing's fake cookies. I hope so, as that would mean at least it's not something more worrying at Google or my ISP's end!