
There's an iOS device attached to my Google account and I own no Apple products - djsumdog
http://penguindreams.org/blog/there-is-an-ios-device-attached-to-my-google-account-and-i-do-not-own-any-apple-products/
======
tantalor
This is super easy to do accidentally if you log into Google while simulating
a mobile device in Chrome devtools, because your user agent string tells
Google what device you are using.

First verify you don't have an iPhone (or whatever) in your recently used
devices:
[https://security.google.com/settings/security/activity](https://security.google.com/settings/security/activity)

    
    
      1. Open Chrome incognito window
      2. Open devtools
      3. Toggle device mode to iPhone (or whatever)
      4. http://google.com
      5. Log in
    

Now go back to recently used devices and you should see the new device.

Occam's razor implies PEBKAC.

~~~
ikeboy
But it should still have sent an email.

~~~
jethro_tell
Sure, if it was me logging into someone else's account (and there had to be
some conscious effort based on his random password), I'd log in and delete the
email immediately. Delete from inbox, delete from trash, refresh.it seems like
you would notice that but no one spends 24 hours a day looking at their email.
It probably wouldn't be that hard to slip by the best of us.

That's what two factor authentication is for. And not emailing the same
account for login notifications. I just don't find this to hard to believe.

~~~
nucleardog
If you have a recovery email setup it will also receive that notification.

------
markcerqueira
"I use a secure password algorthym." Maybe my notion of secure is wrong, but I
didn't find it particularly secure ("Ensure your system always gives you a
password between 8 and 9 characters long") or even convenient (absolutely no
mention of password managers, system is based on memorization).

And then moments later: "I currently don’t have two factor authentication."

Just seems like there's two people behind this post: one who is concerned
about security and one who doesn't fully leverage tools to enhance their
security.

Not ragging on the author. This just stuck out at me. I'm genuinely curious
and would love a follow-up if author can discover what happened.

~~~
ap22213
Quantitatively, how much more secure would using two factor authentication be
over what the author is doing?

Edit: Assuming that someone only crafts 9-plus-character passwords that don't
show up in dictionary attacks and aren't reused across sites, is 2FA going to
secure that person much more? I'm not challenging 2FA. Actually, I'm just
trying to motivate myself to use it.

~~~
shaftway
If done properly, immensely.

Sites can log invalid password attempts, and unscrupulous sites could include
attempted usernames and passwords. That basically gives them a dictionary of
accounts to try, because let's face it, most people use the same password for
multiple services. Sometimes people's muscle memory kicks in and they
accidentally type their password into the wrong site, or the wrong field.

With Google's 2FA, you need access to either a pre-printed list of emergency
codes, or the ability to see the person's incoming texts. That's where the "if
done properly" caveat comes in. Google Voice is generally a bad idea. If
someone accidentally gets into your email because you left it open, they also
have access to your incoming texts.

~~~
newjersey
I'd like to respectfully disagree. When done correctly, Google Voice can be as
good as if not better than a traditional cell phone. I treat my email with
more care than I treat my bank accounts. However, Google Voice is probably not
as good as the app on your phone though.

~~~
shaftway
[https://support.google.com/accounts/answer/185834?hl=en#gvoi...](https://support.google.com/accounts/answer/185834?hl=en#gvoice)

I remembered the advice, but not the reason. It's because you can easily lock
yourself out of any way to get your otp. So maybe it's _too_ secure?

~~~
newjersey
Ah. I have an app for my main Google account but for other Google accounts, I
have them sent to my Google Voice number. (:

Mostly because I'm lazy and want to copy paste from hangouts on the computer.

------
puzzle
The most likely explanation is that one of his devices visited YouTube over
HTTP (not HTTPS) and his ISP "helpfully" installed some kind of caching proxy
that returned the wrong cookies to the wrong user. ISP have been known to
cause mixups like that when cranking up caching aggressiveness to 11.

~~~
justizin
That doesn't really explain an iOS device being attached to the account.

~~~
puzzle
The ISP might have return his cookie to someone else running iOS. The fact
that it only happened for a few hours might be explained by cache expiration.

~~~
ben_jones
If ISP's are returning cookies from the wrong users, wouldn't it also be
possible for login credentials (stored within cookies) to be returned as well?

~~~
puzzle
Login cookies are usually sent over HTTPS. Check your browser's cookie store,
you'll see that Google services use so many of them, also because of the many
hostnames and domains they are on. I suspect YouTube cookies because you can't
use google.com ones directly on its domain. And the console mentions devices
that have been used with the account, not that have been logged in or have
attempted to do so (an important distinction), which points again to cookies.
If he used Chrome or another browser supporting ChannelID, such a mixup would
have no consequence, because Google's GFE would detect the situation and mint
new cookies or redirect the user to a login page.

------
caf
_...manufactures are known to leave unpatched versions of glibc, openssl and
the built-in web browser..._

Android doesn't use glibc.

------
pbarnes_1
No 2FA? That's... an interesting security choice.

~~~
gcb0
for YouTube viewing? really?

why would I go over the hassle to see cat videos? the worst that can happen is
someone steal my like or generate fake ad revenue.

not everyone have their life attached to a google account.

~~~
chrisbolt
> why would I go over the hassle to see cat videos? the worst that can happen
> is someone steal my like or generate fake ad revenue.

...or log in with an iOS device and freak you out, leading you to write a blog
post about it.

This is a blog post about possibly unauthorized access to a Google account,
pointing out the lack of 2FA is perfectly valid given the context.

------
jamescostian
One possibility is the author logged into an iOS device to check it out - e.g.
one of the devices Apple stores have lying around for people to test out - and
then forgot to logout, so when other people used YouTube on the same device,
their views were logged under the author's account

------
thevibesman
(EDIT): Left my slightly off-topic comment below as it may be useful to some
people anyway; as the two child commenters pointed out, this doesn't
necessarily relate. It seems as if this was an attack, the non-gmail email
must have been compromised as well as I don't see a way to turn off these
notifications.

From what I have seen assisting others with compromised Google accounts (most
likely due to a phishing attack, but unconfirmed), emails that would give away
the compromise are usually deleted---either manually or via a filter[1].

Sometimes these deleted mails can be retrieved because they not purged
completely, but deleted mail does not show up in GMail search.

[1]: If you believe your account has been compromised, check your email
filters, I've seen weird delete filters added to accounts.

~~~
zippergz
But the email address on his account is not Gmail, so an attacker would have
had to separately compromise his non-Google mail server to do achieve any of
this.

~~~
thevibesman
Oh, its been a long day; I guess I forgot about that when I came back to
comment. (EDIT:) Thanks for the correction.

~~~
zippergz
I should have said, despite the fact that it doesn't fit in this specific
case, your overall advice is very good. This is quite common and definitely
something people should be aware of.

------
rajeevk
I had one interesting incident.. I was not able to access my twitter and gamil
account both. The twitter account was associated with that gmail account. I
had same password for both of them. I was able to recover my gmail as the
attacker did not change the recovery email in my gmail account. And hence I
could recover the twitter account too. Then again I set the same password for
both of them. Next day same thing happened again. Then recovered both and set
different password and since then it is fine.

I wondered how someone could hack so easily. The passwords were not easy and I
can not believe that anyone could guess that. I also checked the last access
time in gmail and there were no suspicious activity there.

------
transitorykris
I'm curious to know what the author's gmail address is. I've experienced bad
behavior with the ability to add or remove dots from the mailbox name. Apple
(amongst some others) allows people to register iCloud accounts using
unverified email addresses. It is obviously a big leap to think the YouTube
app would respect the iCloud username.

------
Taylor_OD
This is a long shot... But if you use Linkedin that could account for some of
the videos. They recently added an autoplay feature for their videos on the
home page that is very tedious to shut off. If you're logged into youtube on
the same device it will play the videos and show up on your played videos on
Youtube.

------
cmdrfred
Maybe the iViewedThis api endpoint on the YouTube ios app is not/was not
checking tokens correctly?

------
bitmapbrother
I can't figure it out so let's blame my Android phones running a hacked ROM
cobbled together by script kiddies on XDA.

