Tell HN: Google Cloud lets anyone add you to a project without your permission
The worst part is that you can’t leave the project after you’re added. Google requires the project owner remove you. They provide no way to remove yourself. I’ve tried contacting the company that added me but they’ve not responded to my requests.
I also tried contacting Google support and they’ve been less than helpful. At first, they thought that my account was hacked. I pointed out that this was not due to a hack, but due to Google’s faulty invite system. They responded back and said they didn’t see any association between my email and the project. So they listed the case as resolved and said they couldn’t discuss any further details about the project. This is despite the fact the unwanted project still appears on my GCP dashboard. I suspect they didn’t see any association because they were just checking the projects owned by my account and not checking projects I’ve been added to.
This whole situation seems like a recipe for unwanted spam since you can be added to projects without permission and can’t ever remove yourself. My biggest fear is if that company uses the project to do something malicious then my account might be banned by association. This could also be used in other ways. E.G. you could flood a competing startup's cloud dashboard with hundreds of bogus projects. You could even use it to get someone in trouble by adding them to a project that's doing illegal stuff (e.g. hosting illegal content). If this was limited to adding people within your GCP/GSuite this would be a minor issue because I doubt your coworker is going to use GCP to spam you / get you in trouble. However, the ability to add anyone and everyone outside of your GCP/GSuite makes this a huge issue in terms of spam / safety. Overall, this is a major oversight on Google’s side and is a huge security, privacy, and spam risk.
To date, I’ve still been unable to get any help from Google to resolve this issue. If there’s any Googlers willing to help, I would be extremely grateful.
129 comments
[ 3.1 ms ] story [ 177 ms ] thread1. Create throwaway account
2. Create throwaway project using throwaway account
3. Find emails of possible Googlers using public bug tracker
4. Add Googlers' emails to throwaway project
5. Post messages to throwaway project describing the problem
6. Hopefully Googlers understand the issue and can forward the issue to get it resolved
8. Associated real Google accounts get locked for being associated with throwaway (unless you have really good OpSec)
Might be worth a post on their bug bounty program though, assuming GCP is in scope https://bughunters.google.com/
Edit: Reported it
1. Create a throwaway account.
2. Add a bunch of professional developers' at big companies email addresses to the account. Just shoot in the dark: johnanderson@google.com, mikejohnson@airbnb.com, wandamaximov@apple.com, throw in a couple common email aliases as well like developers@twitter.com or mobileteam@airbnb.com
3. Publish a bunch of apps to the play store which clearly breaks their app store policies
4. Google has been known to automatically network-ban associated accounts and their play store apps if a play store account is found in violation of their policies.
Also, harvesting actual emails from github is really easy.
You could potentially bring down iCloud.
(Maximum fun when you sue your own employer.)
Project name: bob-does-[unsavory thing]
Adds Bob to project
This model is used because otherwise providing permissions becomes extremely difficult, and users are more likely to throw away the entire concept and settle for one common set of credentials for all users across the project (in the form of a common Google account in case of GCP, or the root user credentials in AWS.)
Imagine you're a malicious actor and want to spam some company's Google Cloud Dashboard. You could just create a 100 different projects and add the company's users to those projects automatically, even though you're not part of that company. Those projects can never be removed or deleted from the dashboard. So every user at the company you're trying to spam can never get rid of it (without Google support intervening maybe).
Or let's say you're a malicious actor trying to get someone in trouble. You could create a Google account and hide all traces of who created it. Then you could just create a project doing something illegal (e.g. hosting illegal content) and then add someone to the project. When the authorities find out about the project, the person you're targeting will get investigated for hosting illegal content.
Same for AWS, granting an identity in another account access to resources in your own AWS project also requires no approval on the other side. The issue you seem to have with Google is that it's verbose about showing everything you have access to.
As for the company scenario, this is effectively not an issue for Google Workspace-enabled domains since your default project list shows projects under your domain (if you're not parented to gmail.com).
Even if it is the case, it is still an issue because it can be used for abuse. If you wanted to pin abuse on someone you just need to add them to the project doing something illegal. Google tends to be trigger happy about banning so it could affect someone. I bet there are avenues for companies to deal with a situation like this, but it still affects individuals which is a big problem. Especially if your personal account gets banned.
I'd also argue that it's a spam issue for companies (albeit less than it is for individuals). You may not see it by default for companies, but it will still appear in some lists throughout the UI probably.
I think honestly both AWS / GCP should ask for permission to be invited when you're adding someone outside your company.
This should not cause any trouble, but sometimes Google’s algoritms can be ”trigger happy” when trying to stop abuse.
This is not correct. This would only work if the resource is in the same AWS account.
For cross account access, both the principal and the resource need to allow each other.
See: https://aws.amazon.com/premiumsupport/knowledge-center/cross...
I might be able to sts:AssumeRole to any number of roles created by bad cloud engineers that allowed my account instead of another. But - ignoring that it requires exceptional luck to find the right account/role pair - it takes explicit action on my part to move into their account. At the end of the day, I exchange my credentials for those in another account, and that action is logged in my account, theirs, and with AWS.
The concern here is this sharing happens without me doing anything. What happens if I get added to an account whose admin cries foul to Google? Or if their account is flagged for violating GCP terms? Given Google’s history, I’d be worried too.
Also if you don't want to completely degoogle but just want to rid yourself of some of the spam, you can use services from other ecosystems, as part of a suite, and connect the email from that suite to a google account, so you can still use googles' services and the other suites' services. Then when randos add you to things like spam in your calendar, you won't actually see it because you are using a calendar from a different suite.
But it sounds like GCP just closes the ticket for you if the support guy think it's not an issue, even if you disagree, there's no conversation to be had?
One time I sent a trade in device which usps confirmed as delivered to google , google store said that it was just an empty box and no phone was inside …
After fighting tooth and nail , I lost the case with google support because I didn’t film Myself putting the phone inside the box , only to notice few months later that the phone did reach in and they credited me with google credits ( for original trade in value)
(Googler, opinions are my own. I work on payments.)
Gmail is Gmail only, for everything else create separate Google accounts you are not afraid to lose.
IIRC a company got their project booted from the play store, because one of the developers accounts got a black mark.
In any case, I am in the process of migrating off Gmail too, it just takes a lot of effort. But to your point, I should probably also download all my gmail data and archive it just in case.
Chargebacks are the mutually assured destruction of banking. There’s nothing wrong with firing a nuclear weapon if you truly feel it’s in your best interests; if you do, expect that your adversary will respond in kind and terminate all business with you now and in the future.
Sometimes that’s the right move, sometimes it’s not, just go into it with eyes open.
I doubt Google would send anyone to collections in these circumstances. But - Careful what you wish for!
Also, if you see charges from Google on one of your cards but wasn't on your profile, I recommend following this guide: https://support.google.com/googleplay/answer/2851610?hl=en
Plenty of these stories:
https://www.reddit.com/r/tifu/comments/zndbku/tifu_by_accide...
I’ve heard people following this advice really regret it because they don’t realize how much ties to google. Please make sure folks you are advising understand this.
However IIRC Owner Role grants require email invite acceptance, just not sure if that's policy driven as well - https://issuetracker.google.com/issues/111843590?pli=1
I unfortunately can't imagine a world in which someone non-technical doesn't just get a list of emails associated with a project and all of them get rounded up by their local PDs.
https://www.theverge.com/2022/8/21/23315513/google-photos-cs...
That said, many people treat support so badly that offering it may be worth avoiding on principle.
Once you reach a certain size the reputation of your brand is almost meaningless. Some of the largest and most successful companies around are almost universally hated and have terrible reputations. Those companies don't care and they continue to make unpopular decisions and actively screw over their customers and their employees all while pulling in record profits.
Can you give examples of large companies with more than 1 competitor who get away with treating customers badly in the long run?
Google Cloud has competition, people dislike them because of their lack of support, thus they are a distant third and likely NOT getting away with it in the long run?
There's risk, though, whenever you do something that looks malicious: your account might get suspended. Also not sure if you could be legally liable for anything bad you do.
I wonder what happens to your personal and unrelated Google account if the project manages to get itself suspended.
I bet this could be weaponized fairly effectively - add a bunch of Google insiders to a project and get it noticed by an automated enforcement system. Turn the labyrinth against itself.
1. https://issuetracker.google.com/issues/35903415
Of all the software vendors out there, Google is the last one I'd use, and I certainly wouldn't rely them to run my business.
... on the other hand not firing people for negligence is how you build a moat, and pump the stock.
I pay for dev support on aws and have had good support on Amazon retail as well. They can actually solve issues. I think Amazon retail credited me a very expensive purchase not because they could see the screwup their side but could understand what might have happened and maybe looked at my insanely long purchase history with virtually no returns and just made a call on the issue. Aws dev support should stick to scope - I do think some folks get way outside AWS specific stuff and into user solution configuration error stuff