Google has addressed a security problem with its Google Webmaster Tools which gave users access to obsolete accounts.
News of the situation spread across the Web Tuesday night after reports surfaced about it on search engine optimisation (SEO) blogs and news sites. According to Google, for several hours Tuesday, “a small set” of Webmaster Tools accounts were incorrectly re-verified for people who previously had access.
“We’ve reverted these accounts and are investigating ways to prevent this issue from recurring,” a Google spokesperson told eWEEK.
Google did not say what specifically caused the situation to occur. The issue could have been problematic for impacted organisations, as it gave account access to people who are not supposed to have it, such as former employees.
But the potential damage from malicious unauthorised access would have been no laughing matter, Naylor observed. “On a more serious note though, now that WMT is so much more powerful than it ever was there is a serious risk that damage could be caused to sites by people who no longer have permission to make changes,” he added. “Things like disavow link lists, deindex urls or the entire site, redirect urls, geolocation alterations… a whole world of pain.”
According to Darren Platt, CTO of identity and access management vendor Symplified, the incident highlights the potential problems of “identity silos” created by companies when they use cloud services.
“These redundant user information stores are maintained by each of the sites that a user accesses,” he said. “In enterprise IT architectures, we have learned – sometimes with considerable pain – that redundant data eventually goes out of sync. In this case, companies were managing user accounts for their web master tools within Google’s infrastructure – separately from centralised user management processes that secure their other applications. What happened here was Google made decisions about a given enterprise’s users without all of the knowledge the enterprise has about the user.”
However, there were obvious ways for Google could have prevented this problem, Platt noted. “In this scenario, if a company had being using SAML (Security Assertion Markup Language) to authenticate users to the WebMaster Tools service, they would have been able to prevent the old administrative accounts from regaining access,” he said.
“Using the SAML protocol Google would have sent the user back to their employer for authentication. Since the company knows the user no longer works there, they would have instructed Google not to allow that person access, Platt said.
“The biggest challenge right now with the exploding use of cloud/SaaS services among enterprises is raising awareness of these identity and access management issues,” he added. “Hopefully this incident will force companies to look for ways to prevent these problems from happening to them.”
Do you know all of Google’s secrets? Find out with our quiz!
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…