Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


1053 posts

Uber Geek
+1 received by user: 225

Subscriber

Topic # 230339 19-Feb-2018 20:57
Send private message

On 15th Feb I signed a new property into google analytics. i then went to put the client in as an admin so they can manage their analytics and pull the info they need and add others as required.

 

The client had no google account so I signed up a gmail account, logged out, logged back into my GA and added them as admin on ONE property. i have security logs that show this is what happened.

 

However - google then proceeded to make this new gmail account ( belonging to my client ) the owner of all my accounts. My log in was relegated as a recovery account only and all my search console, business analytics and ad words now was accessible by my clients gmail account. As I had sent them the log in details this posed quite a security problem.

 

Every time i logged in as my email address it switched to be my clients email address.

 

further more i have clients who have their own GA accounts and have invited me in to help them with it - my clients gmail account ended up on all their accounts as well. As you can imaging my clients are asking who in hades is <clients email address>

 

Google help told me I must have deliberately done this. Yeah right - I went through screen after screen of forms and sub forms systematically removing my email account and adding the clients - except I didn't.

 

Logging into my clients email account - which theoretically according to google was my account but with details changed - and changing it to my email address doesn't work as the primary email address cannot be changed - but according to help (see line above) i changed it yesterday. also according to help it cannot be changed. Hmm - a conundrum. either i changed the unchangeable or there is a huge security issue with google.

 

long story short - google help wants me to put this information into a public forum, alerting potential crackers there may be a security hole or issue with googles analytics sign up code that allows a master google analytics account to be owned by a sub account. and then have that information and accounts flow to other linked accounts. Personally I think the fact the recovery information can be sent to a third party email is a security hole allowing password recovery to happen.

 

they also want me to put my story on a public forum and get help resetting my passwords, account security and other details here in a public forum - Yup - that's exactly where account issues should be dealt with - online in a public forum - no security issues there.

 

there is no escalation path available to me other than to hang this probably flaw in google code ( exploitable via cookies on a shared pc would be the quickest method I assume) . I'm glad google advertises that security is their prime concern. i feel SOOOOO secure now i have given access to all my clients search consoles, ga, business sites and adverts to my client. I feel especially secure knowing that the best i can do is work from an account that I cannot remove my clients email address as the primary email address showing in the accounts area.

 

BTW - google help says the logs are probably wrong, incomplete or something - if so why bother having them at all?

 

This is the failure of cloud systems - they keep pushing support to public forums - even for security issues - with no escalation path. My business is a mess now - I am going to have to create a whole new google account, and find ways of moving all my clients across - individually. That's especially tough as I can only put a new account in as owner - not primary owner / god like access to google business. 2.5 hours of my day wasted talking to people who cannot o more than the basics in a very narrow range with no escalation process. 3.5 hours further wasted with spark not responding to a four week over due issue stopping a clients emails being accessed and spam binning everything from him (owing to the work of some third party spoofing of emails.).

 

Yes - I did put the information into a public forum - I hope they get hacked!!





nunz

Create new topic
278 posts

Ultimate Geek
+1 received by user: 7

Trusted

  Reply # 1960614 19-Feb-2018 21:19
Send private message

Try going here and clicking the trash can next to Gmail https://myaccount.google.com/deleteservices

Then create a new Gmail account for your client - be sure to create a new Google account rather than add Gmail to an existing Google Account. Or better still create a Google account with their existing email address here https://accounts.google.com/SignUpWithoutGmail







1053 posts

Uber Geek
+1 received by user: 225

Subscriber

  Reply # 1961083 20-Feb-2018 16:14
Send private message

Made a new google account with the email address that was my google account.

 

 

 

Opened up chrome as the wrong email address / google account  and firefox as my new account then spent the day manually adding me as a user / upgrading to owner, transferring it into the new accout and removing / unverifying from the wrong account.

 

 

 

What a PITN - bloody aweful systems to use.

 

 

 

 

 

 





nunz

1364 posts

Uber Geek
+1 received by user: 345


  Reply # 1961101 20-Feb-2018 17:01
Send private message

Why don't you use the flaw to your advantage, sign up another G account as admin to one of your properties, and let it taker ownership of them all, putting yourself back in control?


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.