Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

948 posts

Ultimate Geek
+1 received by user: 209


Topic # 230339 19-Feb-2018 20:57
Send private message quote this post

On 15th Feb I signed a new property into google analytics. i then went to put the client in as an admin so they can manage their analytics and pull the info they need and add others as required.


The client had no google account so I signed up a gmail account, logged out, logged back into my GA and added them as admin on ONE property. i have security logs that show this is what happened.


However - google then proceeded to make this new gmail account ( belonging to my client ) the owner of all my accounts. My log in was relegated as a recovery account only and all my search console, business analytics and ad words now was accessible by my clients gmail account. As I had sent them the log in details this posed quite a security problem.


Every time i logged in as my email address it switched to be my clients email address.


further more i have clients who have their own GA accounts and have invited me in to help them with it - my clients gmail account ended up on all their accounts as well. As you can imaging my clients are asking who in hades is <clients email address>


Google help told me I must have deliberately done this. Yeah right - I went through screen after screen of forms and sub forms systematically removing my email account and adding the clients - except I didn't.


Logging into my clients email account - which theoretically according to google was my account but with details changed - and changing it to my email address doesn't work as the primary email address cannot be changed - but according to help (see line above) i changed it yesterday. also according to help it cannot be changed. Hmm - a conundrum. either i changed the unchangeable or there is a huge security issue with google.


long story short - google help wants me to put this information into a public forum, alerting potential crackers there may be a security hole or issue with googles analytics sign up code that allows a master google analytics account to be owned by a sub account. and then have that information and accounts flow to other linked accounts. Personally I think the fact the recovery information can be sent to a third party email is a security hole allowing password recovery to happen.


they also want me to put my story on a public forum and get help resetting my passwords, account security and other details here in a public forum - Yup - that's exactly where account issues should be dealt with - online in a public forum - no security issues there.


there is no escalation path available to me other than to hang this probably flaw in google code ( exploitable via cookies on a shared pc would be the quickest method I assume) . I'm glad google advertises that security is their prime concern. i feel SOOOOO secure now i have given access to all my clients search consoles, ga, business sites and adverts to my client. I feel especially secure knowing that the best i can do is work from an account that I cannot remove my clients email address as the primary email address showing in the accounts area.


BTW - google help says the logs are probably wrong, incomplete or something - if so why bother having them at all?


This is the failure of cloud systems - they keep pushing support to public forums - even for security issues - with no escalation path. My business is a mess now - I am going to have to create a whole new google account, and find ways of moving all my clients across - individually. That's especially tough as I can only put a new account in as owner - not primary owner / god like access to google business. 2.5 hours of my day wasted talking to people who cannot o more than the basics in a very narrow range with no escalation process. 3.5 hours further wasted with spark not responding to a four week over due issue stopping a clients emails being accessed and spam binning everything from him (owing to the work of some third party spoofing of emails.).


Yes - I did put the information into a public forum - I hope they get hacked!!


Create new topic
276 posts

Ultimate Geek
+1 received by user: 1


  Reply # 1960614 19-Feb-2018 21:19
Send private message quote this post

Try going here and clicking the trash can next to Gmail

Then create a new Gmail account for your client - be sure to create a new Google account rather than add Gmail to an existing Google Account. Or better still create a Google account with their existing email address here

948 posts

Ultimate Geek
+1 received by user: 209


  Reply # 1961083 20-Feb-2018 16:14
Send private message quote this post

Made a new google account with the email address that was my google account.




Opened up chrome as the wrong email address / google account  and firefox as my new account then spent the day manually adding me as a user / upgrading to owner, transferring it into the new accout and removing / unverifying from the wrong account.




What a PITN - bloody aweful systems to use.









1315 posts

Uber Geek
+1 received by user: 324

  Reply # 1961101 20-Feb-2018 17:01
Send private message quote this post

Why don't you use the flaw to your advantage, sign up another G account as admin to one of your properties, and let it taker ownership of them all, putting yourself back in control?

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47

Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25

New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48

Shipments tumble as NZ phone upgrades slow
Posted 2-Mar-2018 11:48

Oppo R11s: high-end Android, budget price
Posted 27-Feb-2018 16:27

Samsung New Zealand introducing the Galaxy S9 and S9+
Posted 26-Feb-2018 07:00

Fujifilm X beats its best with new top of the range, high-performance camera
Posted 24-Feb-2018 14:05

One million kiwis affected by cybercrime
Posted 24-Feb-2018 13:58

New Zealanders want to engage with government online and via mobile apps
Posted 24-Feb-2018 13:56

Samsung launches Samsung Max
Posted 24-Feb-2018 13:52

CPTPP text and National Interest Analysis released for public scrutiny
Posted 21-Feb-2018 19:43

Foodstuffs to trial digitised shopping trolleys
Posted 21-Feb-2018 18:27

2018: The year of zero-login, smart cars & the biometrics of things
Posted 21-Feb-2018 18:25

Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21

Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.