

After clicking on "Visit Google Drive on the web", users are automatically logged into their Google account without having to enter a password The Windows and Mac OS X desktop clients for Google's Drive file storage and synchronisation service open a backdoor to users' Google accounts which could allow the curious to access a Drive user's email, contacts and calendar entries.

The sync tool includes a "Visit Google Drive on the web" link which opens Drive's web interface in the default browser and automatically logs the user in. Somewhat problematic is the fact that this session can then be used to switch to other Google services such as GMail and Google Calendar.

Even if the user explicitly logs out of the Google sites by clicking the "Sign out" link, the Drive client will open a new session without requiring a password. The desktop clients request login credentials only once, when they are first installed and launched.

The backdoor is particularly problematic where a user shares their account with others or where a computer is not password protected. The link also makes accessing a user's Google account unnecessarily simple for trojans.

Even Google's 2-step authentication, which requires users to enter a one-time verification code when logging in to their accounts, does not protect users from client-based access. For accounts with 2-step verification, the client will still log into users' accounts so long as the code was entered when the client was first setup. Users who wish to continue to enjoy the convenience offered by the clients should therefore ensure that no-one else is able to access the user account on their systems.

(crve)