{"id":613,"date":"2012-12-24T08:15:50","date_gmt":"2012-12-24T15:15:50","guid":{"rendered":"https:\/\/www.joshualyman.com\/?p=613"},"modified":"2013-12-11T16:14:30","modified_gmt":"2013-12-11T23:14:30","slug":"gmail-just-logged-me-in-as-someone-else","status":"publish","type":"post","link":"https:\/\/www.joshualyman.com\/2012\/12\/gmail-just-logged-me-in-as-someone-else\/","title":{"rendered":"Gmail just logged me in as someone else"},"content":{"rendered":"
UPDATE: After doing extensive checking with extended family, this has proven to be legitimate (though very unexpected). Please ignore the post and move along, Gmail is still secure for now! My sincere apologies for raising an alarm.<\/strong><\/p>\n <\/p>\n <\/p>\n UPDATE: After doing extensive checking with extended family, this has proven to be legitimate (though very unexpected). Please ignore the post and move along, Gmail is still secure for now! My sincere apologies for raising an alarm. This morning I…<\/p>\nThis morning I opened my laptop and went to gmail.com to check my email, but was a little confused at first. The first email was from Amazon Local Deals, which I was pretty sure I had unsubscribed from a while ago, and furthermore it was from an area I used to live in, but have since moved from. Then I saw that two people that I did not know had circled me on Google+, not completely unusual but still unexpected. Then the kicker… my name was gone from the top right, and instead I was inside of Sarah Jenkins’ account<\/strong> (name changed).<\/del><\/p>\nAt that point I shot back to the inbox, and sure enough, I was in a completely different person’s account. All the emails were completely foreign, the chat list was full of people I did not know, and the +You name in the top right was definitely +Sarah, not +Joshua. I quickly checked Chrome’s Web Inspector and looked at the cookies. Indeed, everything appeared as if I were her, almost as if it was a Firesheep session, but it most certainly was not.<\/del><\/p>\nI certainly got out of her account as quickly as I could, but did take a quick screenshot and saved the network data (and corresponding cookie information) strictly for evidence in hopefully helping the Gmail team should they need debugging evidence. I would never want to violate this other person’s privacy, just as I would not want mine violated.<\/del><\/p>\nAnd that is what scared me: this happened to me, being in someone else’s account. But what if a different person in the meantime has been in mine? Email is the gateway to\u00a0everything<\/strong> online, and I would never want anyone in my account that shouldn’t be there. An incredibly bizarre and potentially\u00a0dangerous\u00a0<\/strong>situation.<\/del><\/p>\nFacts:<\/h3>\n
\n
One of the oddest things is that the stranger was 90% random, but based on their apparent location and a few email subjects, I\u00a0could<\/em>\u00a0have in theory at least formerly lived near this person.<\/del><\/p>\nMy best hypothesis right now is that there was a networking-based error that occurred somewhere along the way, where traffic destined for me\/her was switched somewhere along the lines. Otherwise the culprit would have to be in Gmail’s systems. Either scenario is scary; this should never happen. Being in someone else’s account is like having the key to their kingdom. I could have read all of her emails, looked at her Youtube subscriptions or posted something as her, reset other possible accounts that send email password reminders or reset links–everything short of actually changing her Gmail password (which thankfully would have required me to actually know her existing password). In general, Google authentication is quite secure, but what happened today made me very nervous about my own account’s safety, and about the infrastructure in general.<\/del><\/p>\nIf you are on the Gmail team and can follow up on this, please contact me<\/a>. I will try and examine the .HAR files I exported when I get a chance, and if I have any updates I’ll report back here.<\/del><\/p>\n","protected":false},"excerpt":{"rendered":"