I wasn't exactly sure who would look into this, but I started the ball rolling internally and asked if someone could investigate.
The post has been updated:
"UPDATE: After doing extensive checking with extended family, this has proven to be legitimate (though very unexpected). Please ignore the post and move along, Gmail is still secure for now! My sincere apologies for raising an alarm."
So, back to your regular Christmas Eve activities.
Since my comment is awaiting moderation there, and there are no other comments so I suspect he's withholding all of them, I'll also post my comment here.
This seems to me as a session collision. You looked at the cookie, so you know something about how these things work, but just to be sure I'm going to explain it in basic terms. Keep in mind that this is just my theory, I'm not not affiliated with Google and have never experienced this myself.
When you log in, on pretty much any website, it generates a session. This session must be unpredictable so that others can't guess what your session is, so there is some random generator involved. An example session could be 7583 (in practice it will be a much larger number, usually with letters or even special characters involved).
When someone else logs in, they will also have a session generated for them. If the random generator happens to pick the same number, it might overwrite your session. If you then open the tab (and your browser remembers the session to keep you logged in), you will appear to be logged in as someone else.
This should never happen. The server should check whether the generated number is already in use. However, the odds of this are incredibly low. With 64-bit sessions, the odds of having two people have the same session is 1 in approximately 18446744073709551616. Even with a billion users logging in, substract 9 decimal positions from that and it's still one in eighteen billion. But it might just happen.
With the millions of users that Gmail has, it might take a lot of resources to check if the session exists somewhere in the world. Or perhaps your session had expired and has been removed, and then someone else logged in and got the session that you were previously assigned. Your browser, not knowing that its session cookie had expired, simply used it.
The odds of this are just so incredibly low, it's very surprising that it happened - if this is what happened. It would perfectly fit your explanation though. Looking at Gmail's cookie, I can't really figure out how many bits of randomness they use. The length is 194 bytes when base64-decoding it, so that would be 1.58*(10^467) possibilities. But I think they simply store some more data there, not just your session.
Hmm, writing this down and looking at the numbers, it's actually more likely that something else messed up, especially considering the complexity of Google's network. Anyhow, a very interesting bug.
Sites normally employ various mechanisms to prevent session fixation attacks[1] and similar malice. These mechanisms prevent session collisions as a side-effect, thus your scenario seems rather unlikely.
I opened up the Chrome Web Inspector, switched to the Network tab and verified that a couple of requests had indeed gone through, right clicked, and chose "Save all as HAR." That's how I saved the data specifics like cookies.
UPDATE: After doing extensive checking with extended family, this has proven to be legitimate (though very unexpected). Please ignore the post and move along, Gmail is still secure for now! My sincere apologies for raising an alarm.
(Emailed PG to ask the post be removed, no need for it to stay up.)
Well, that is good to know! Hopefully you are updating the site.
Can you provide any more detail on how it happened? Did a cousin's friend come over or something? Perhaps there are lessons for others to learn from this regarding securing your computer for guest use (ie I wonder if Sarah had access to your mail temporarily).
Scary. It is quite honorable for you not to violate that person's privacy. As a physician, this is of the utmost importance for our patients and it is nice to see honest people out there.
this is the most likely explanation. That, of course, doesn't make it the explanation, because unlikely things happen all the time (just ask the White Queen)
> a networking-based error that occurred somewhere along the way, where traffic destined for me/her was switched somewhere along the lines
SSL prevents this from happening, right? If you mean that a system responsible for returning a gmail session cookie got your traffic mixed up, seems like that would have to happen at the application-layer rather than networking.
SSL simply encrypts the connection between your browser and the server. There is no telling what happens inside Google's datacenters.
For example, if you try to reach any Google IP, it will route to the nearest datacenter regardless of where you are in the world. If the datacenter doesn't have the data that it needs to respond to your request, it internally requests the data. It might have messed up there. We can't tell.
Something very similar happened to me four or five years ago. I had just sat down at my laptop and opened the browser. Imagine my surprise when it correctly navigated to iGoogle, but under someone else's account. I looked around just enough to verify that I was locked into a session and then took some screenshots, wrote a detailed explanation of the past five minutes, and sent them along to Google. Never heard back.
The zip code in the iGoogle page weather widget suggested it was someone that lived in my general area, but I didn't recognize the name. This wasn't a shared laptop. I believe this also predated SSL-on-by-default so I guess it is possible traffic got mixed up somewhere.
[+] [-] Matt_Cutts|13 years ago|reply
The post has been updated: "UPDATE: After doing extensive checking with extended family, this has proven to be legitimate (though very unexpected). Please ignore the post and move along, Gmail is still secure for now! My sincere apologies for raising an alarm."
So, back to your regular Christmas Eve activities.
[+] [-] ljoshua|13 years ago|reply
[+] [-] TallboyOne|13 years ago|reply
[+] [-] Ives|13 years ago|reply
[+] [-] lucb1e|13 years ago|reply
This seems to me as a session collision. You looked at the cookie, so you know something about how these things work, but just to be sure I'm going to explain it in basic terms. Keep in mind that this is just my theory, I'm not not affiliated with Google and have never experienced this myself.
When you log in, on pretty much any website, it generates a session. This session must be unpredictable so that others can't guess what your session is, so there is some random generator involved. An example session could be 7583 (in practice it will be a much larger number, usually with letters or even special characters involved).
When someone else logs in, they will also have a session generated for them. If the random generator happens to pick the same number, it might overwrite your session. If you then open the tab (and your browser remembers the session to keep you logged in), you will appear to be logged in as someone else.
This should never happen. The server should check whether the generated number is already in use. However, the odds of this are incredibly low. With 64-bit sessions, the odds of having two people have the same session is 1 in approximately 18446744073709551616. Even with a billion users logging in, substract 9 decimal positions from that and it's still one in eighteen billion. But it might just happen.
With the millions of users that Gmail has, it might take a lot of resources to check if the session exists somewhere in the world. Or perhaps your session had expired and has been removed, and then someone else logged in and got the session that you were previously assigned. Your browser, not knowing that its session cookie had expired, simply used it.
The odds of this are just so incredibly low, it's very surprising that it happened - if this is what happened. It would perfectly fit your explanation though. Looking at Gmail's cookie, I can't really figure out how many bits of randomness they use. The length is 194 bytes when base64-decoding it, so that would be 1.58*(10^467) possibilities. But I think they simply store some more data there, not just your session.
Hmm, writing this down and looking at the numbers, it's actually more likely that something else messed up, especially considering the complexity of Google's network. Anyhow, a very interesting bug.
[+] [-] jemfinch|13 years ago|reply
Please read about the Birthday Paradox: http://en.wikipedia.org/wiki/Birthday_Paradox . The probably of a random collision in 64 bits is 1 in 2^32, not 1 in 264.
[+] [-] wfunction|13 years ago|reply
Sounds like someone used Maximum Likelihood instead of Maximum A Posteriori.
[+] [-] moe|13 years ago|reply
[1] http://en.wikipedia.org/wiki/Session_fixation
[+] [-] thrownaway2424|13 years ago|reply
[+] [-] Joeri|13 years ago|reply
[+] [-] eykanal|13 years ago|reply
* a screenshot
* "network information" (what does that include?)
* cookie information - I assume you just saved the cookie, itself, but which did you save? Everything in your cookies directory at the time?
* ...?
[+] [-] ljoshua|13 years ago|reply
[+] [-] ljoshua|13 years ago|reply
(Emailed PG to ask the post be removed, no need for it to stay up.)
[+] [-] erdevs|13 years ago|reply
Can you provide any more detail on how it happened? Did a cousin's friend come over or something? Perhaps there are lessons for others to learn from this regarding securing your computer for guest use (ie I wonder if Sarah had access to your mail temporarily).
[+] [-] tashfeen|13 years ago|reply
[+] [-] learn|13 years ago|reply
[+] [-] chrisballinger|13 years ago|reply
[+] [-] ljoshua|13 years ago|reply
[+] [-] hnriot|13 years ago|reply
[+] [-] davidu|13 years ago|reply
(should be irrelevant due to HTTPS, but still)
[+] [-] adulau|13 years ago|reply
[+] [-] ljoshua|13 years ago|reply
[+] [-] cjbprime|13 years ago|reply
SSL prevents this from happening, right? If you mean that a system responsible for returning a gmail session cookie got your traffic mixed up, seems like that would have to happen at the application-layer rather than networking.
[+] [-] lucb1e|13 years ago|reply
For example, if you try to reach any Google IP, it will route to the nearest datacenter regardless of where you are in the world. If the datacenter doesn't have the data that it needs to respond to your request, it internally requests the data. It might have messed up there. We can't tell.
[+] [-] trvrprkr|13 years ago|reply
The zip code in the iGoogle page weather widget suggested it was someone that lived in my general area, but I didn't recognize the name. This wasn't a shared laptop. I believe this also predated SSL-on-by-default so I guess it is possible traffic got mixed up somewhere.
[+] [-] rscott|13 years ago|reply
[+] [-] dennisgorelik|13 years ago|reply
[+] [-] killerpopiller|13 years ago|reply
[+] [-] lobster45|13 years ago|reply
[+] [-] Joeri|13 years ago|reply
[+] [-] polarrat|13 years ago|reply
[+] [-] capo|13 years ago|reply