Google providing access to other user accounts

2009-05-22T04:32:00.000-07:00

I have been facing issues with google accounts for months, which is posted by Philipp on his blog post.

Below is the email content I wrote to Google on April the 28.

For the past one month, I am facing an issue wherein, when i access the help forum and the google profile (Update: Affected Services Google Notebook, Google Docs, Google Profile, Google , Google Analytics, Google Alerts, Google Finance, Google Friend Connect, Google Maps, Google Map Maker, Google Video, Google Code, Google iGoogle, Google Feedburner), the account that i logged in (priyadarsan****@gmail.com) is swapped with another account. I am able to access the account holder's personal information and his contacts. (Later i contacted the persons involved to share this matter).

In my knowledge, all the users involved are based in Singapore, So far there are five people which i identified. I have collected a bunch of screen shots and some writeups, which i will be attaching with this email. Please do something about it, we don't want others to access our account and happily use our contact information.
Please go through the below content. It's bit lengthy, but it will help you to trace the issues, i believe. The forum links are still there.

-=-=

April 3rd: Mail i dropped to philipp of blogoscope

Today, while i was browsing the Google Apps help centre. Suddenly, i realized that instead of my email ( priyadarsan***@gmail.com ), the interface is showing Maximilian.***gmail.com. I thought it's some kinda minor bug and it will be prompting for my account once i refresh. It didn't happen. I tried posting a message in one of the thread and to my surprise, the post came in as Maximilian's. I dropped an email to the account holder as well.

I was using chrome at first. Then I tried accessing from a different browser (firefox). It was the same Maximilian's account in firefox as well.

I was asked to login when i accessed the following

* Gmail

* My Account

But many other services were browsable..

I am not using a Proxy

I cleared the firefox relogged into my account, but it changed to Maximilian, while i was navigating, to be exact: Login, Google Apps Help Centre , My Profile

What do you think the problem might be?

I don't know Maximilian, until this event happened. I am not able to read his emails as i am been redirected to the login page. Mostly the problem lies around the help pages. To add, this is my personal laptop, only I myself uses this computer. Not even a guest account is enabled in it.

Attachment: priyangooglesecurityissue.zip

-=-=

April 9th: Mail i dropped to Peter Breitkreutz, whose account was the next one which i got access to

Hi Pete,
I don't know you yet. Sorry for pulling you in. We are facing a problem with Google Profile. Since your name is involved, i want you to be here. Hope you won't mind.

Hi Philipp,

This is getting serious. I am now able to see Max's address book (Names and Emails in his addressbook) , account information [Even the Account Name, Address is Editable]. I am able to browse through his picasa album from the profile, but clicking on any photo leads me to picasa's login screen. Clicking on My account leads to login screen (same with Google Reader, Gmail). I won't be surprised when one day i am writing from Max's Gmail.
(Screen Shot attached)

Maximilian wrote to me this morning saying that his account name has changed to "Aussie Pete". I googled only to find that Pete is in Singapore as well (I got his email from his blogger profile). This problem might be facing by everyone who is under same ISP who shares single public IP.

The surprising thing is that all 3 of us are google apps user's (I am using It, Max told me he is using and Pete's domain points here)

I use Google for anything and everything. Lot and lots of sensitive data are present in various tools like notebook and docs. I can't imagine that position, If i loose those.

Why am i writing this to you?, is 'cuz you can influence them and could bring their attention here. (or tell me where i can report it).

Expecting your reply.

I got to see this thread, where Pete says he is seeing Maximilian's account:
http://www.google.com/support/forum/p/Google+Apps/thread?tid=7a12c06200f1387e&hl=en

Attachment: repriyangooglesecurityissue.zip

Reply from Peter:-

Hi - yes it was very strange when I posted my question on google help... because there was no profile created, I went in and edited it, thinking that it was my profile (didn't notice the email address at the top of the page was showing Max's address and not mine).

Once I noticed, I went back and logged in as myself with my email address and created my own profile.

At the time, I though perhaps google was somehow defaulting to a 'pretend' person until my own profile was created... obviously this mustn't be the case.

Thanks for looping me in - very strange occurrence indeed. I also use googleapps for many things... including more than just this one domain.

-=-=

April 25th: Mail i dropped to Chang Morgan

Dear All,

The issue is still around.

Now more people are involved. Marking them as well.

@Chang Morgan, - Pulling you in to inform about this security issue.

The private information that i got has been send to Chang's personal account.

Guyz... We should do something about it.

Priyan
-=-=-=
May 19th: Mail to Derick

Dear Derick,

Just wanted to inform that when i opened google.com/notebook, instead of seeing my notes, it showed your account (See attached), like the way you see it. If you carefully read the below thread, this security issue is not just to google notebooks, but also google profile, google contacts and google help (So far).

Guyz, The danger has come and i am gonna delete all of my google account except the email (for which i need few months).

I posted the issues at security@google.com, which went unanswered. Google was a god given gift for me, but they are not caring about security issues.

Somebody here if you can help, it would be grateful.

Priyan
-=-=-=-=

Alast, i got a response from Google on 22nd of May (Nearly a month later after my email to security@google.com)

Hi Priyan,

The issue you're describing was reported by a small number of users
visiting a Google Help Center page from your ISP. As you described, those
users could become partially logged into the account of a recent viewer of
the same page from the same ISP. We have fixed the issue completely, and
we apologize for any inconvenience.

Thanks very much for reporting it to us.

Regards,
Manuel for
The Google Security Team

Response:

jijo vincent

2008-07-04T21:45:00.001-07:00

avan singaporel ethi..

bu hu hu hu ha

entammO..

enne kollu..

avaaara mon

DiCE Guyz

2006-09-17T07:25:00.000-07:00

DiCE Guyz

Priyadarsan V

Google providing access to other user accounts

jijo vincent

DiCE Guyz