Google mass logout riddle deepens: OAuth token fumble blamed

The baffling mass logout of Google accounts last week was the result of accidental OAuth token invalidation, a cause Google acknowledged, but only to a subset of those affected.

On February 24, an unknown number of people who had been logged into their Google accounts found they had been logged out and had to re-authenticate themselves to log back in. The credential removal occurred on mobile and desktop devices.

Google's public statements on the matter have offered little in the way of detail. "During routine maintenance [from 1pm to midnight PST yesterday], a number of users were signed-out from their Google accounts," explained Crystal Cee, a Gmail Community Manager, in a Gmail support thread on February 24.

The web giant's Gmail support page likewise suggests the deauthentication was the result of routine maintenance, which doesn't mean much for those not familiar with the habits of Google's engineering staff.

Google's willingness to address the issue in the first place, as opposed to simply not commenting, appears to follow from a desire to dispel any doubts about the security of its services. Unexpected login prompts may suggest an unauthorized attempt to capture account details.

"We hear your concerns that this appeared to potentially be phishing or another type of security issue," Cee explained. "We can assure you that the security of your account was never in danger as a result of this issue."

Such concerns were magnified by the disclosure, around the same time as the mass logout, of a serious CloudFlare security flaw and the unexpected remote factory reset of Google wifi and OnHub routers.

Google security researcher Tavis Ormandy, in a Chromium bug tracker thread, shot down the suggestion that the CloudFlare flaw had anything to do with the Google account deauthorization. "No, it's not related," he said, and reiterated that point when pressed.

But in a move that appears to be designed to invite conspiracy theories, Google posted and then deleted a message related to the deauthentication event on its Cloud Status Dashboard.

The disappeared message, cited in various online posts on the topic, reportedly said, "To summarize; [sic] some long-lived OAuth tokens have inadvertently been invalidated."

That makes sense: token invalidation would require anyone using a Google Account-related service to login again. It also may explain the wording some people saw when asked by Google to log back in: that a change had been made to their account, although no such change was visible in the security section of their account settings.

That said, the disappearance of the dashboard post is puzzling.

The Register, over the past few days, has exchanged multiple emails with Google's communications staff trying to understand what happened. While Google appears disinclined to provide the sort of technical detail found in Cloud Platform incident reports, it did offer an explanation for the disappearing post.

Evidently, Google's incident-oriented communication with customers varies in format and timing. What gets communicated through consumer-oriented Help Center posts, for example, may differ from what gets communicated with developers or business customers, depending on the products involved. While the company acknowledges many users were affected by the logout, it fixed the issue quickly so the messaging was removed quickly.

So as Google said in its transient post, the logout was the result of OAuth token invalidation, which followed from some undisclosed and unplanned event during routine maintenance.

As to what caused the inadvertent token invalidation – a foot snagging an extension cord or perhaps fat-fingered typing? – Google isn't saying. But looking ahead, the company might want to standardize the way it presents incident notices and technical detail within. ®