

How many clicks does it take? - jgrahamc
http://blog.jgc.org/2010/08/how-many-clicks-does-it-take.html

======
fortes
I can't reproduce this -- can't get my Google Apps & Gmail account linked
(this is something I actually want, I'm the admin anyway)

~~~
StavrosK
I can't reproduce this either. What I _can_ reproduce is semi-logging in three
accounts (I see them in the list but they don't have gmail, so they're grayed
out).

In any case, I doubt the author tried this out. All multiple signon does is
allow you to easily switched between accounts _which you are logged in_.
Logging out of one doesn't affect the others, and changing the password of one
doesn't change the password of any other account. It's basically a glorified
switcher, and there's no vulnerability to speak of. I know this because I
pseudo-linked the accounts, cleared all cookies and logged back in, and I was
only linked in one account versus the three I had before.

It would be good if people reporting vulnerabilities actually tested them
first :/

~~~
jgrahamc
OK. It's true that I haven't tried this recently, but I did see this happen
with one of my users a few weeks ago where I was suddenly in that user's
personal email account on a machine they'd never used.

~~~
StavrosK
Hmm, this is odd. Clearing the cookies cleared all the signins for me. We'll
have to wait and see, I guess (wait for a user with multiple Gmail accounts, I
mean).

------
msy
Why on earth would you link your work and private accounts? This should be
titled 'How many clicks does it take assuming you use gmail and you use google
apps at work and you link your accounts together.

------
phreeza
Scary indeed, actually prompted me to reset my password for gmail, it has been
too simple for too long.

I remember cases here in Germany, where big companies were spying on their
employees, so the scenario of the "evil sysadmin" might even include the
sysadmin who is being coaxed by his superiors.

------
extension
Google needs to be crystal clear to Apps users about what access their
employers have to their account. I am surprised that they can change
passwords. What else can they do? Read mail sent outside the company? Read
unsent drafts?

------
cjeane
This article lacks substance and is overly alarmist. The best advice still
come back to: use a strong password for your work and personal account.
challenge and investigate any sysadmin that changes your password without
request.

