Google Chrome hijacked a coworker's session today.

12 points by AUmrysh ↗ HN
I was informed by our Chief Engineer today about a strange problem one of our employees encountered. The employee downloaded the latest release of chrome from the main download page and installed it. The employee then proceeded to sign into chrome sync, and when they pulled up the main google homepage, they were logged in as the personal account of a coworker. These people never shared a computer, and while they do have similar first names, I genuinely suspect that google doesn't base sessions on first names.

All we can figure is that the user who was hijacked had logged into their gmail the other day and when the other employee came in this morning and connected to the wifi, DHCP assigned them the same IP, and google just continued the session which had been left open.

Has anyone had any experience like this? It's a bit concerning because these weren't corporate accounts or anything, and the employee had full access to the google account of the other without having to know the password.

The problem disappeared when we tried clearing stored data and reinstalling chrome.

The employee hadn't used the computer displaying this behavior in a while, is it possible that a session collision happened? The fact that it was another employee leads us to believe that it was somehow linked to the corporate IP address.

Any ideas?

2 comments

[ 3.3 ms ] story [ 17.5 ms ] thread
> DHCP assigned them the same IP, and google just continued the session which had been left open

Given that you're using DHCP-assigned IP addresses, you're likely behind NAT. From Google's vantage point, both employees will appear to always have the same IP address as each other.

> is it possible that a session collision happened

Looking at my browser's session state, I suspect the session cookie is SSID, which is 21 bytes. Assuming it's a base64-encoded integer, it would be a 14-byte integer. I think that would make a collision a fairly rare occurrence.

> Assuming it's a base64-encoded integer, it would be a 14-byte integer. I think that would make a collision a fairly rare occurrence.

I agree, I think the fact that these people are coworkers and both were using the network here is relevant, but I don't know enough about networks or google's account system to make good guesses as to what happened.

There would be something like 2^(14*8), or 5 million billion billion billion unique session ids. A collision occurring in the first place must be rare, for it to be two people who are coworkers must be some orders of magnitude more rare.