So I believe I have found a security hole in Google’s login systems, and why they need to unlink usernames with YouTube accounts, or they need to at least address this issue.  I’ll be brief.

Say you have a Google Account.  Say your other friend has a Google Account.  These two accounts are independent of each other, as in they have different User Names and Passwords.  Now, say that one of you, lets say here that its you, who creates a YouTube account to share with me.

This is a very common circumstance.  I have about 3 different accounts in YouTube that I share with other people, it makes it convenient to maintain the account, especially if its a busy one.

So here is the security hole: if I log into this ‘Shared” YouTube account, all I need to do is head on over to Gmail and waalaa! I’m now in your Gmail.  I have full access, and I can poke around all you want, without you knowing except for that little IP log at the bottom of the Gmail window.  I could do some real damage  and snooping.

This is a serious issue, please unlink the accounts.  Email is rarely shared, YouTube accounts are.

UPDATE: This is the response from Google about this issue.  Apparently these accounts were linked, and this is just the nature of the Google Accounts system.  I agree with the security team, there is no large risk, but this is still a problem in my opinion.

From Google:

Thank you for the clarification, and for helping me figure out the
nature of the problem.

As you noted, the user in fact disclosed his Google account password
to you, along with an “alias” on YouTube. This alias serves simply as
a nickname for his canonical account with Google, and the password
could be readily used to access services such as Google Mail or Google
Docs without the need to rely on YouTube at all.

Although the fact you gained access to all Google services by logging
in via YouTube with this alias may sound somewhat counterituitive to
people less accustomed to a variety of Google services, I believe
there is no security risk. As noted, you could have used the same
password, and his canonical account name, to simply log in at:

https://www.google.com/accounts/Login

…to gain access to the same services. Canonical account names are
not a secret, and could be easily discovered, e.g. through the YouTube
UI itself.

Now, it goes without saying that sharing your password with other
parties is usually not a good idea, for a number of reasons; if this
can’t be avoided, we would recommend creating a separate Google
account for this purpose.

My Short Rebuttal:

Absolutely Sir, I will add to my blog post now.  I have to say though, that it would not be a bad idea to give Google Account’s access permissions.  This would also prevent something confusing like this from happening.  The basic fact is, while your correct there is no large security risk, this user (my friend) had no intention, nor any indication (according to him) that he was allowing me to access his Gmail without his explicit consent.  Just something to consider…

I would like to praise Google right now, for their quick response time, and detail centered approach.  This encounter with them was exciting in its short life span.  Onward…