Well hello there friends! As you can easily see, I redesigned and re-implemented my blog. It was way overdue for a refresh, and I always wanted to make it much more minimalistic…so here, I present to you: evansamek.com 2.0.

I guess this means I have to start writing more….

So I believe I have found a security hole in Google’s login systems, and why they need to unlink usernames with YouTube accounts, or they need to at least address this issue.  I’ll be brief.

Say you have a Google Account.  Say your other friend has a Google Account.  These two accounts are independent of each other, as in they have different User Names and Passwords.  Now, say that one of you, lets say here that its you, who creates a YouTube account to share with me.

This is a very common circumstance.  I have about 3 different accounts in YouTube that I share with other people, it makes it convenient to maintain the account, especially if its a busy one.

So here is the security hole: if I log into this ‘Shared” YouTube account, all I need to do is head on over to Gmail and waalaa! I’m now in your Gmail.  I have full access, and I can poke around all you want, without you knowing except for that little IP log at the bottom of the Gmail window.  I could do some real damage  and snooping.

This is a serious issue, please unlink the accounts.  Email is rarely shared, YouTube accounts are.

UPDATE: This is the response from Google about this issue.  Apparently these accounts were linked, and this is just the nature of the Google Accounts system.  I agree with the security team, there is no large risk, but this is still a problem in my opinion.

From Google:

Thank you for the clarification, and for helping me figure out the
nature of the problem.

As you noted, the user in fact disclosed his Google account password
to you, along with an “alias” on YouTube. This alias serves simply as
a nickname for his canonical account with Google, and the password
could be readily used to access services such as Google Mail or Google
Docs without the need to rely on YouTube at all.

Although the fact you gained access to all Google services by logging
in via YouTube with this alias may sound somewhat counterituitive to
people less accustomed to a variety of Google services, I believe
there is no security risk. As noted, you could have used the same
password, and his canonical account name, to simply log in at:

https://www.google.com/accounts/Login

…to gain access to the same services. Canonical account names are
not a secret, and could be easily discovered, e.g. through the YouTube
UI itself.

Now, it goes without saying that sharing your password with other
parties is usually not a good idea, for a number of reasons; if this
can’t be avoided, we would recommend creating a separate Google
account for this purpose.

My Short Rebuttal:

Absolutely Sir, I will add to my blog post now.  I have to say though, that it would not be a bad idea to give Google Account’s access permissions.  This would also prevent something confusing like this from happening.  The basic fact is, while your correct there is no large security risk, this user (my friend) had no intention, nor any indication (according to him) that he was allowing me to access his Gmail without his explicit consent.  Just something to consider…

I would like to praise Google right now, for their quick response time, and detail centered approach.  This encounter with them was exciting in its short life span.  Onward…

Hey All!

Welcome to my new blog.  It hasn’t changed that much but at least I’m finally heading in some direction with it.  I thought for my first new post I would write about the plugins I’m using this time around.

• Contact Form 7 – This plugin is amazing.  Really simple to use AJAX form, that even has a form generator in the admin section for a truly customizable experience.  It even has a built in option for a CAPCHA area, to prevent spam. (However you have to download this as a seperate plugin to use the functionality.)
• Flickr Gallery – Really simple to use Flickr implementation plugin that allows you to important your Flickr photostream in a variety of customizable ways.  Currently I have mine set to display the most recent uploads.
• Twitter Updater – Automatically sends a tweet to my twitter profile to let my followers know I just posted a new blog post.
• All in one SEO Pack- Everyone should know about this one already.
• Google SiteMaps XML – Again, a great SEO tool which everyone already knows about.
• Ozh’ Admin Drop Down Menu – Now this plugin is incredibly helpful.  It makes all admin section navigation in drop down menu format with CSS.  I couldn’t stand having to click through the various higher-level nav to get to the lower-level admin pages.  This saved me about 15 minutes of clicking time.
• Sociable – Easy integration of social networking and bookmark services. (Which is below this post…tweet me please!)

I’m also using various other plugins, but they are technical and/or aren’t important enough to talk about here.  Anyways, enjoy the new blog look and feel.  Hopefully now that I have a more presentable blog, I will write more.

Evan