Tag Archives: google

UPDATE: After doing extensive checking with extended family, this has proven to be legitimate (though very unexpected). Please ignore the post and move along, Gmail is still secure for now! My sincere apologies for raising an alarm.

This morning I opened my laptop and went to gmail.com to check my email, but was a little confused at first. The first email was from Amazon Local Deals, which I was pretty sure I had unsubscribed from a while ago, and furthermore it was from an area I used to live in, but have since moved from. Then I saw that two people that I did not know had circled me on Google+, not completely unusual but still unexpected. Then the kicker… my name was gone from the top right, and instead I was inside of Sarah Jenkins’ account (name changed).

At that point I shot back to the inbox, and sure enough, I was in a completely different person’s account. All the emails were completely foreign, the chat list was full of people I did not know, and the +You name in the top right was definitely +Sarah, not +Joshua. I quickly checked Chrome’s Web Inspector and looked at the cookies. Indeed, everything appeared as if I were her, almost as if it was a Firesheep session, but it most certainly was not.

I certainly got out of her account as quickly as I could, but did take a quick screenshot and saved the network data (and corresponding cookie information) strictly for evidence in hopefully helping the Gmail team should they need debugging evidence. I would never want to violate this other person’s privacy, just as I would not want mine violated.

And that is what scared me: this happened to me, being in someone else’s account. But what if a different person in the meantime has been in mine? Email is the gateway to everything online, and I would never want anyone in my account that shouldn’t be there. An incredibly bizarre and potentially dangerous situation.

Facts:

 

  • I had not logged in, I had just opened Gmail in a new tab.
  • I use multi-login, and am normally logged into two other accounts at the same time. Neither of these accounts were available, just the other individuals.
  • I also use 2-step authentication (thankfully!), not sure if this would affect my account.
  • The cookie looked completely like her identification, nothing to do with mine.

One of the oddest things is that the stranger was 90% random, but based on their apparent location and a few email subjects, I could have in theory at least formerly lived near this person.

 

My best hypothesis right now is that there was a networking-based error that occurred somewhere along the way, where traffic destined for me/her was switched somewhere along the lines. Otherwise the culprit would have to be in Gmail’s systems. Either scenario is scary; this should never happen. Being in someone else’s account is like having the key to their kingdom. I could have read all of her emails, looked at her Youtube subscriptions or posted something as her, reset other possible accounts that send email password reminders or reset links–everything short of actually changing her Gmail password (which thankfully would have required me to actually know her existing password). In general, Google authentication is quite secure, but what happened today made me very nervous about my own account’s safety, and about the infrastructure in general.

If you are on the Gmail team and can follow up on this, please contact me. I will try and examine the .HAR files I exported when I get a chance, and if I have any updates I’ll report back here.

Share and Enjoy

  • Twitter
  • Google Plus
  • LinkedIn
  • Email
  • RSS
  • HackerNews
  • Instapaper
  • StumbleUpon
  • Facebook

Looks like Google is going to be getting more into the semantic web game, according to this article from the WSJ.

“Over the next few months, Google’s search engine will begin spitting out more than a list of blue Web links. It will also present more facts and direct answers to queries at the top of the search-results page.
“Google isn’t replacing its current keyword-search system, which determines the importance of a website based on the words it contains, how often other sites link to it, and dozens of other measures. Rather, the company is aiming to provide more relevant results by incorporating technology called ‘semantic search,’ which refers to the process of understanding the actual meaning of words.”

My guess is that Google will be using Schema.org markup, since that is what drives its +1 buttons for metadata, as well as potentially doing a bit of scraping/AI on existing content. Now would be a good time for all developers and content creators to evaluate how they are using semantic markup and make sure that they are up to par.

I have implemented Schema.org markup on this site through my Schema.org Twenty Eleven child theme. If you are using Twenty Eleven also, feel free to download it and start using it as well. You can read more about and download it here: Twenty Eleven Schema.org Child Theme. There is much more you can as well, specifically in adding custom and appropriate markup to individual posts/pages, but it provides a good start.

Share and Enjoy

  • Twitter
  • Google Plus
  • LinkedIn
  • Email
  • RSS
  • HackerNews
  • Instapaper
  • StumbleUpon
  • Facebook