
Someone left my Gmail in debug mode - zatkin
https://medium.com/@zg/someone-left-my-gmail-in-debug-mode-8aa1b1c46172
======
defenestration
An icon of a skull with bones was used for the debugger. That, in combination
with the 'Spy' components, is giving users an eerie feeling. Note to myself:
don't be funny in debugmode

~~~
vassy
A friend of mine works at an insurance company and used Testicle as a test
name. It wasn't that funny when a customer called his workplace asking why he
got a letter that starts with "Hello Mr Testicle".

~~~
philbarr
I used to work at a place where a guy used, "Hello Fuckers" as test data. Our
manager got a very angry call from a customer who printed out a 300 page
report with, "Hello Fuckers" at the end of every line.

~~~
dogma1138
10 years ago I built an internal system for tickets (really old school VB and
internal access db) for helpdesk & ISM the internal error code for closed
tickets due to user error was id10t it was an internal joke until they decided
to pull data from it into the new CA unicenter system which then lead to a
bunch of quite important people's names appear with the column next to it
saying id10t on the big 50" plasma screens in the new NOC/IT operations
center.

------
nodesocket
I'm guessing just one or a small number of servers were in debug mode by
accident, thus like winning the lottery that your request hits a debug server.

------
sauere
I experienced the exact same issue on a paid Google Apps for Business account
yesterday evening around 11pm CET.

Creeped me out, i assumed it was some Browser Plugin gone rouge.

~~~
tajen
Did you deactivate all your browser plugins since? I activate them on demand
and keep them off most of the time (especially browser screenshot tools and
syntax coloration of json).

------
tedchs
FYI this is a known issue:
[https://support.google.com/a/answer/6166309?hl=en](https://support.google.com/a/answer/6166309?hl=en)

------
courtneypowell
I experienced the same issue today. Entire screen was blank with the exception
of the page header. I was only able to access my mail in an incognito browser.

------
nishantmodak
I can see this in my inbox too!

------
umanwizard
Releasing this code that was obviously not intended to ever be public rubs me
the wrong way a bit -- not to mention, it's probably illegal.

Edit: "publicizing", not "releasing". As others pointed out, the website
doesn't contain any actual code.

~~~
Archio
> it's probably illegal

I certainly, _certainly_ hope not. While of course there is an ethical
question involved here, making it illegal to release "code that was obviously
not intended to be public" is a MASSIVE slippery slope. I could put your
grandmother in jail for clicking a broken link in her email and sharing the
confusing things she saw, because of a "bug" in my app.

~~~
TheDong
It definitely has a good chance at being illegal. So does your grandmother
clicking a link in the email if she has any hint of an idea that she's not
supposed to click that link (e.g. if the email said "you are not permitted to
access this link" it suddenly could be illegal to intentionally visit it).

It's called the "Computer Fraud and Abuse Act"[0].

The exact portion is: "Whoever intentionally accesses a computer without
authorization or exceeds authorized access, and thereby obtains information
from any protected computer" is guilty of a criminal offence.

This user of Gmail obviously surmised this was debug information he was not
meant to see. As soon as he clicked that debug link or the detail link, he was
intentionally accessing information without authorized access. He knew he was
not supposed to access that information and he did so anyways.

The CFAA has been used before for things not too far off for this. 3Tap[1] was
found guilty of CFAA abuse when it scraped Craigslist after its IPs were
banned.

Weev[2] was prosecuted under the CFAA for accessing unprotected AT&T customer
data that was hidden behind a url with an incrementing integer ID (no
password, no username, just a perl script to increment a url parameter in a
get request).

This is a fairly well documented law that has been used a number of times and
it's almost certain that the author is guilty under it, as written. It's one
hell of a broad law.

[0]:
[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

[1]:
[https://en.wikipedia.org/wiki/Craigslist_Inc._v._3Taps_Inc](https://en.wikipedia.org/wiki/Craigslist_Inc._v._3Taps_Inc).

[2]: [https://www.eff.org/deeplinks/2013/07/weevs-case-flawed-
begi...](https://www.eff.org/deeplinks/2013/07/weevs-case-flawed-beginning-
end)

~~~
Falkon1313
Looks like the user was accessing his own browser on his own computer, so he
probably had authorization to do that, and it's unlikely that his own computer
was 'protected' against him obtaining information from it.

Would you say that everyone who has ever clicked 'view source' is a criminal?
(despite the fact that the source was sent to them in plain-text with the
knowledge that a 'view-source' function is available to them)

~~~
TheDong
Weev was also accessing AT&T's servers from his own computer using his own
software.

This user was accessing Google's debug servers and debug information. Did you
read up on the Weev case? It's not that dissimilar. It seems like you're being
intentionally obtuse in saying "his computer was not protected from him",
well, no, Google's debug servers and information were meant to be.

If someone accesses the source code of a website while knowing that the
website author intends them to not access it, then yes, they're potentially
exceeding their authorized access and breaking the law under the CFAA.

I don't think the law is good nor makes sense, but explaining why it's dumb
logically to me doesn't help. You're preaching to the choir. I know it's dumb
and doesn't make sense. This law was created by people who do not understand
technology or the internet except by analogies to it being "kinda like a
supermarket" or such.

I gave suitable evidence that this is quite possibly illegal because of a dumb
law. You've told me that it's dumb for this to be illegal (yes it is dumb) as
if that means it can't be illegal. That's not a rebuttal to the links and
statements I provided and, without a meaningful counter argument that isn't
you intentionally being obtuse about what I said, you aren't furthering this
discussion.

~~~
Falkon1313
Perhaps I missed something. I don't see anything about the user accessing
Google's protected debug servers that require authorization. I see
'mail.google.com' then 'about:blank' in the url bar, which indicates that he's
accessing a public server and then probably accessing data already on his
machine. Data that they chose to send to him and present to him within his
browser with controls that were displayed to him to allow him to access it
because they decided he was authorized to see it.

I don't know much about weev's case except that it sounds like it was
information that AT&T had decided that the public was authorized to access
without any authentication or protection. They screwed up. I agree that a lot
of legal people are tech-illiterate, and they screw up, too. Which may be why
they eventually bailed on a venue technicality rather than address the actual
case.

But your point was: "Whoever intentionally accesses a computer without
authorization or exceeds authorized access, and thereby obtains information
from any protected computer" (which doesn't really sound that dumb on its own)

My point is that you're authorized to access your own computer and it isn't
protected from you, so that would not apply (unless the legals involved
couldn't figure it out). Is clicking the 'About' button in the help menu of an
application and accessing the version number a crime? Seeing the Gmail debug
info in chrome is just that with more detail. Try putting "chrome://about" in
your Chrome url bar. Ooh, there's data. Lots of debug data. Are you a criminal
now? No, it's your system and you're authorized to use it. And the makers of
Chrome chose to give you access to that data. Just for fun, try chrome://quit/

