[jimrandomh]

You shouldn't be telling this to tier-1 support, you should be reporting it through a contact that's labeled as specifically being for reporting security issues affecting Google login, ie https://bughunters.google.com/ . This is a significant security vulnerability because the existence of this TV implies the existence of an API somewhere which the TV has used, which can create revocation-resistant keys.

(I ran into a similar issue with the Oculus/Meta Quest 2 and Facebook login tokens. I reported it as a vulnerability in the Facebook account system and it was fixed eventually.)

[sdiacom]

Why shouldn't tier-1 support be able to forward this to someone who is the slightest bit technical, who can then make the call to report this to the relevant security team?

There's no reason why tier-1 support has to be this irredeemably useless. Just put someone in the loop who knows when _not_ to blindly follow a script. It really isn't that hard.

[m000]

> There's no reason why tier-1 support has to be this irredeemably useless.

There is. They're probably non-Google employees, leased en-masse from the cheapest support center Google could find.

[bouke]

has vs would

It is a deliberate choice to offer inferior support that isn’t able to deal with security issues.

[PeledYuval]

I agree with you. I tried really hard to get this escalated. Tier 1 seem to have absolutely no ability to escalate tickets. It's a cost-saving decision for sure, and it feels really bad to fall between the cracks due to it

[switchupcb]

I submitted a similar issue regarding Google Drive folders. I don't think submitting this issue will earn OP any money as a "significant security vulnerability": In other words, Google will not consider this a significant security vulnerability.

> While our highest-impact services (e.g., Google Wallet, Gmail) are designed to make cookies expire very shortly after the user logs out, we believe that most potential exploitation vectors for this behavior fall outside the security model of modern browsers and operating systems, and can't be meaningfully mitigated by any single website.

> Check this link for more info: https://sites.google.com/site/bughunteruniversity/nonvuln/co...

Note: The issue I submitted was related to revoking all sessions (authentication) as well.

[toast0]

> I don't think submitting this issue will earn OP any money as a "significant security vulnerability"

I don't think OP wants to claim a bounty (and anyway, probably doesn't have the details needed), OP just wants the issue fixed. Getting the issue looked at by someome who cares is more likely in the bounty program than through google customer support, because bug bounty triagers need to be empowered to communicate with people empowered to fix issues and google customer support isn't so empowered.

In a good customer service organization, an issue like this should get escalated, but that's not the reality at google, and not at too many other places either.

[PeledYuval]

Thank you - I will be trying this

[japanman425]

Not really. It’s just a long lived refresh token. You can revoke the app it’s associated to but OP seems unaware.

[urbandw311er]

OP has listed the steps they took to revoke connected devices, what additional revocation are you referring to?

[PeledYuval]

Please, if I missed a method to revoke access - let me know how. I'm not being sarcastic, I think I've tried everything there is to try

[operator-name]

I think he's talking about https://support.google.com/accounts/answer/3466521?hl=en

[bmitc]

How then?