Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

1423 posts

Uber Geek
Inactive user

#230339 19-Feb-2018 20:57
Send private message

On 15th Feb I signed a new property into google analytics. i then went to put the client in as an admin so they can manage their analytics and pull the info they need and add others as required.


The client had no google account so I signed up a gmail account, logged out, logged back into my GA and added them as admin on ONE property. i have security logs that show this is what happened.


However - google then proceeded to make this new gmail account ( belonging to my client ) the owner of all my accounts. My log in was relegated as a recovery account only and all my search console, business analytics and ad words now was accessible by my clients gmail account. As I had sent them the log in details this posed quite a security problem.


Every time i logged in as my email address it switched to be my clients email address.


further more i have clients who have their own GA accounts and have invited me in to help them with it - my clients gmail account ended up on all their accounts as well. As you can imaging my clients are asking who in hades is <clients email address>


Google help told me I must have deliberately done this. Yeah right - I went through screen after screen of forms and sub forms systematically removing my email account and adding the clients - except I didn't.


Logging into my clients email account - which theoretically according to google was my account but with details changed - and changing it to my email address doesn't work as the primary email address cannot be changed - but according to help (see line above) i changed it yesterday. also according to help it cannot be changed. Hmm - a conundrum. either i changed the unchangeable or there is a huge security issue with google.


long story short - google help wants me to put this information into a public forum, alerting potential crackers there may be a security hole or issue with googles analytics sign up code that allows a master google analytics account to be owned by a sub account. and then have that information and accounts flow to other linked accounts. Personally I think the fact the recovery information can be sent to a third party email is a security hole allowing password recovery to happen.


they also want me to put my story on a public forum and get help resetting my passwords, account security and other details here in a public forum - Yup - that's exactly where account issues should be dealt with - online in a public forum - no security issues there.


there is no escalation path available to me other than to hang this probably flaw in google code ( exploitable via cookies on a shared pc would be the quickest method I assume) . I'm glad google advertises that security is their prime concern. i feel SOOOOO secure now i have given access to all my clients search consoles, ga, business sites and adverts to my client. I feel especially secure knowing that the best i can do is work from an account that I cannot remove my clients email address as the primary email address showing in the accounts area.


BTW - google help says the logs are probably wrong, incomplete or something - if so why bother having them at all?


This is the failure of cloud systems - they keep pushing support to public forums - even for security issues - with no escalation path. My business is a mess now - I am going to have to create a whole new google account, and find ways of moving all my clients across - individually. That's especially tough as I can only put a new account in as owner - not primary owner / god like access to google business. 2.5 hours of my day wasted talking to people who cannot o more than the basics in a very narrow range with no escalation process. 3.5 hours further wasted with spark not responding to a four week over due issue stopping a clients emails being accessed and spam binning everything from him (owing to the work of some third party spoofing of emails.).


Yes - I did put the information into a public forum - I hope they get hacked!!

Create new topic
284 posts

Ultimate Geek


  #1960614 19-Feb-2018 21:19
Send private message

Try going here and clicking the trash can next to Gmail

Then create a new Gmail account for your client - be sure to create a new Google account rather than add Gmail to an existing Google Account. Or better still create a Google account with their existing email address here

1423 posts

Uber Geek
Inactive user

  #1961083 20-Feb-2018 16:14
Send private message

Made a new google account with the email address that was my google account.




Opened up chrome as the wrong email address / google account  and firefox as my new account then spent the day manually adding me as a user / upgrading to owner, transferring it into the new accout and removing / unverifying from the wrong account.




What a PITN - bloody aweful systems to use.








1515 posts

Uber Geek

  #1961101 20-Feb-2018 17:01
Send private message

Why don't you use the flaw to your advantage, sign up another G account as admin to one of your properties, and let it taker ownership of them all, putting yourself back in control?

Create new topic

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53

Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48

Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44

Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41

Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07

New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58

Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10

Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30

Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14

Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17

Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56

Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28

Apple announces Mac transition to Apple silicon
Posted 23-Jun-2020 08:18

OPPO A72 a top mid-tier smartphone
Posted 19-Jun-2020 18:02

D-Link A/NZ launches new smart AX1500 Wi-Fi 6 Router
Posted 19-Jun-2020 15:03

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.