Google Webmaster Tools Erroneously Reactivates Obsolete User Accounts

Google said a small set of Webmaster Tools accounts were impacted and that it is investigating ways to prevent this from happening in the future.

Google has addressed a security hole affecting Google Webmaster Tools that gave users access to obsolete accounts they should not have been able to log into.

News of the situation spread across the Web Tuesday night after reports surfaced about it on search engine optimization (SEO) blogs and news sites. According to Google, for several hours Tuesday, "a small set" of Webmaster Tools accounts were incorrectly re-verified for people who previously had access.

"We've reverted these accounts and are investigating ways to prevent this issue from recurring," a Google spokesperson told eWEEK.

Google did not say what specifically caused the situation to occur. The issue could have been problematic for impacted organizations, as it gave account access to people who are not supposed to have it, such as former employees.

"From initial glance at our WMT’s (Webmaster Tools) accounts we now have regained access to every old account we have previously been given access to, whether that is a previous client or maybe a site that came to us for some short term consultancy," SEO blogger David Naylor wrote Tuesday. "What is also quite amusing (if you look on the funny side) is that you can see who won the client or who you won the client from.”

But the potential damage from malicious unauthorized access would have been no laughing matter, Naylor observed. "On a more serious note though, now that WMT is so much more powerful than it ever was there is a serious risk that damage could be caused to sites by people who no longer have permission to make changes," he added. "Things like disavow link lists, deindex urls or the entire site, redirect urls, geolocation alterations... a whole world of pain."

According to Darren Platt, CTO of identity and access management vendor Symplified, the incident highlights the potential problems of "identity silos" created by companies when they use cloud services.

"These redundant user information stores are maintained by each of the sites that a user accesses," he said. "In enterprise IT architectures, we have learned—sometimes with considerable pain—that redundant data eventually goes out of sync. In this case, companies were managing user accounts for their web master tools within Google's infrastructure—separately from centralized user management processes that secure their other applications. What happened here was Google made decisions about a given enterprise's users without all of the knowledge the enterprise has about the user."

However, there were obvious ways for Google could have prevented this problem, Platt noted. "In this scenario, if a company had being using SAML (Security Assertion Markup Language) to authenticate users to the WebMaster Tools service, they would have been able to prevent the old administrative accounts from regaining access," he said.

"Using the SAML protocol Google would have sent the user back to their employer for authentication. Since the company knows the user no longer works there, they would have instructed Google not to allow that person access, Platt said.

"The biggest challenge right now with the exploding use of cloud/SaaS services among enterprises is raising awareness of these identity and access management issues," he added. "Hopefully this incident will force companies to look for ways to prevent these problems from happening to them."