Hacker News new | ask | show | jobs
by tazjin 1119 days ago
Ex-Googler here. Try reporting it through the security disclosure program: https://www.google.com/appserve/security-bugs/m2/new

You can also assume that by virtue of you having posted this here and being on the frontpage, it's probably made it to the internal Google SRE IRC chat by now and someone is trying to find a contact. This almost always works :)

Maybe edit your OP with a way to contact you, so that someone can reach out.
8 comments
koolba 1119 days ago
> You can also assume that by virtue of you having posted this here and being on the frontpage, it's probably made it to the internal Google SRE IRC chat by now and someone is trying to find a contact.

In that case no point in following up at all right? Just post on HN and hope someone in the right spot sees it?

> This almost always works :)

That’s the type of SLA one can rely on!

> Maybe edit your OP with a way to contact you, so that someone can reach out.

Having to break online anonymity so that a company can impose the Hollywood rule, “don’t call us, we’ll call you!”, is a truly lousy support structure.

link
fnimick 1119 days ago
> Just post on HN and hope someone in the right spot sees it?

That's how a lot of Google tech support happens. If you get banned by mistake, you have far better luck making noise here or on Twitter vs actually going through support.

We had an app mistakenly banned that we only got human eyes on by calling in favors from old friends who work at Google. It's asinine.

link
anon223345 1119 days ago
It seems they actually responded to the bug bounty request, I put the response up above
link
geraldwhen 1119 days ago
Apples anonymous emails may work for this purpose.
link
kwhitefoot 1119 days ago
Or Firefox Relay.
link
SillyUsername 1119 days ago
Google already know about this one, fat lot of good it's done for the last 12 years: https://issuetracker.google.com/issues/35889152

Person abandons old account attached to a group/project, account then hacked, et voila!

It's also probably in breach of GDPR regs that say you should be able to update your own information if it's incorrect.

link
anon223345 1119 days ago
I filed a bug bounty! If this is working as expected then so be it…

I didn’t even know this hit front page till you said something

I’m just gonna leave the other orgs alone and not doing anything in there until I can figure out a strategy to delete this google group (which I am actually using to manage my own accounts) my accounts are just hobby accounts more than anything, it’s crazy I logged in and found these full-blown business accounts lol

Just insane to me that I don’t have to confirm on my end that I should be the admin, or billing role lol, they can just one way add you…

I think they meant to add their service account and instead added my google group, the URLs are kind of similar

link
8organicbits 1119 days ago
> by virtue of you having posted this here

But it's not even the first time this issue was posted here. I'm not sure that approach works with Google.

https://news.ycombinator.com/item?id=34193047

link
tazjin 1119 days ago
It's a dice roll, if someone in a timezone where people are working while this post is trending sees it, finds it interesting, and can be bothered to post about it somewhere internally - it can help!

Of course, it would be better if there was an actually supported channel for sending this kind of information, but that's really not the fault of the people that end up finding this stuff and posting it internally (who are often not even related to the problem, posting more of a "hey, anyone know anyone who can help this guy?" message).

FWIW, the security disclosure form I posted will end up reaching a human, which is why I suggested doing that anyways.

link
anon223345 1119 days ago
I’ll try that I suppose, it sounds like I’m going to have to delete that google group which is going to be a pain because I actually use it…

I did file a bug bounty hopefully that goes somewhere

link
OJFord 1119 days ago
This isn't a Google security incident though, they could fix it, but it's not obvious they should/would care to me?

It's the third-party's security team (if there is one, otherwise engineering, contractor hirer, whoever) that should care isn't it?

link
tazjin 1119 days ago
Yes, but the way that would work is that somehow this should bubble through the security org to someone in Cloud Sales, who can then look in Salesforce who the relevant internal sales contacts (i.e. the people from Google that the affected company is in touch with) are and reach out to them.
link
mnadkvlb 1119 days ago
I recently helped someone with google cloud web applications. They got a weird bug where the deployment with new code would just give old deployment logs. Turned out the account was somehow shadowbanned for a day or so to deploy anymore. The next day the logs pointed to a code checkin from previous day.

Eventually i got super fristrated and made a fresh azure trial account for them and boom everything works.

I cannot understand how gcp is so bad at ux and support. Most of the engineers i know at google are the absolute smartest people i know, how in the heck can it be the product experience at gcp is so lousy.

link
intelVISA 1119 days ago
Internal SRE IRC? Too good for the laggy Slack/Teams/etc. CVEware??

I'd be jealous, but then I realized it prob has good uptime whereas using Slack is like a free day off every month with its SLA.

link
tazjin 1119 days ago
Yes, SRE doesn't wanna deal with all that crapware. Though as I was leaving, a lot of people were moving over to an IRC bridge to the (absolutely horrible, in my opinion) Google Chat.
link
rollcat 1119 days ago
Long time ago, many jobs ago, the whole company was on Skype. We (the ops team) just set up an IRC server on one of the boxes.

(The box was also useful for a lot of other things, like an Openarena server. We tend to play StarCraft 2 these days though.)

link
omoikane 1119 days ago
https://xkcd.com/1782/
link
anon223345 1119 days ago
Thank you will try that…
link