
Google Drive desktop client requests login credentials only once - vectorbunny
http://www.h-online.com/security/news/item/Google-Drive-opens-backdoor-to-Google-accounts-1735069.html
======
jonknee
If you're sitting at someone's computer you can do all sorts of stuff. Their
calendar and email are probably already open. You can look at their photos.
You can even listen to their music.

Update: I should add that this probably should be optional since it goes
against a reasonable expectation. But considering it requires an "attacker" to
have physical control of the computer, I don't find it super serious. Dropbox
behaves the same way (though I guess you usually don't see anything else on
the web that you can't on the desktop).

~~~
UnoriginalGuy
I completely agree with you, and in general hate when people whine about
security where there wouldn't be an expectation of some.

That being said, I think it would be nice if Google made this particular
functionality optional. For some shared user environments where you want to
maintain the illusion of privacy (e.g. "family computer"), it might be nice to
force password to view more sensitive information (e.g. e-mail).

I won't comment on DropBox because I don't expect any better from them with
regards to security.

~~~
jonknee
> That being said, I think it would be nice if Google made this particular
> functionality optional. For some shared user environments where you want to
> maintain the illusion of privacy (e.g. "family computer"), it might be nice
> to force password to view more sensitive information (e.g. e-mail).

Agreed. No difference for me since I have my Google powered mail all going
into Mail.app which does not require a password, but in some shared
environments I definitely see the point. Though in a shared environment you
should be using different accounts otherwise stuff like Google Drive and
Dropbox don't really make sense anyway.

------
sneak
Google Drive saves your login credentials, or at least some sort of
authentication token, otherwise you'd have to enter them every time at launch.

Naturally, anyone with access to your computer could use those to access your
Google Account. Google just made it more convenient for you, the authorized
user, to do so, by adding this feature. It does not reduce security in any
way, as even without the option to log in to your account on the web, the
authentication information for Google Drive will still be on your machine
unless you want to log in every time.

Of course, they could use a special authorization token _just_ for Google
Drive, but that's not how Google's services have ever worked.

~~~
semenko
"but that's not how Google's services have ever worked."

That's not totally true. A few services (Wallet, Account Activity) require you
to re-authorize yourself.

It's unfortunate that most Google products request "Full Account Access"
(along with specific services) -- especially as most third party apps request
only what they need. See:
<https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en>

------
Tomdarkness
According to Google this is not an issue but rather it was specifically
designed this way:

[http://productforums.google.com/d/msg/drive/SpN5gNF33Ys/3N0N...](http://productforums.google.com/d/msg/drive/SpN5gNF33Ys/3N0Nr_LhalUJ)

------
esolyt
This is not a backdoor. The behavior is expected, intentional and perfectly
normal.

------
stephengillie
Hello gigantic security backdoor!

This probably happens because Google Drive's windows service caches your
credentials (or the special password you 2-factor users have to make for
programs that can't do 2-factor), in order to authenticate and sync between
cloud and desktop.

Clicking the link uses those cached creds to authenticate you and pass you to
the website...then since you're already authenticated, clicking "Gmail" takes
you to your inbox.

So maybe the credentials we give to Drive shouldn't have permissions to Gmail?
Can we set the permissions for the 2-factor passwords we create? Why not?

------
howeyc
This just in... every web browser is a security back door to all your web
apps!

If you sign in to a web service and click "remember this computer", close the
browser, get up and walk away, and someone else sits down at your logged in
computer they have access to all your web stuff!

This is a non-story. Working as intended.

~~~
Evbn
Which web browsers auto-login after the user explicitly logs out?

------
recursive
Google Talk has worked this way for years.

------
mpclark
If I log out of my Google account I get logged out of the Google Drive client
too, so I'm not sure there's a problem here.

[edit] Oh, wait. That's what happened the _first_ time I tried, but the next
log out worked exactly as described in the article.

------
capo
This is a bunch of alarmist nonsense. For starters this is no "backdoor" it's
front and center, and the author acts as if the concept of locking a user
profile behind a password on the OS level is a completely foreign one.

Client side software devs assume that a user set up a local password because
there is only so much that can be done for the user, and otherwise this makes
this sort of software very cumbersome to use on a continuous bases.

~~~
electromagnetic
I wasn't concerned for this exact reason. I have a secure desktop password and
take adequate precautions to ensure security.

The only real risk is with work computers, and anyone who doesn't have their
desktop go to screensaver with password unlock after 5-15 minutes activity is
just an idiot.

When I was in the bank getting my mortgage, I noticed their computers stay on
for ~2 minutes before going back to a password screen for very obvious
reasons.

------
pootch
Thats not a backdoor its a front door

------
Evbn
With the new unified Google, users should think of local Drive as local
Google. It is hard to say if web based logout should trigger a local client
app logout, outside the web browser. Leaky abstractions FTL.

~~~
stephengillie
That the choice between security and convenience can _be_ made, in this
situation, is a reason I value these combined services less than I value
identical services provided from separate organizations.

If all of my eggs are in one basket, tradeoffs between security and
convenience will be too tempting.

