Archive

Archive for December, 2018

Hotel business centers can steal your life

December 2nd, 2018 Comments off

Many of us travel regularly for business or pleasure, and even though most of us probably haul along our own computer or tablet, occasionally we have to print something. Gee, right there off the hotel lobby is the business center, which today is often equipped with a nice color laser printer. How convenient! And how dangerous.

How do we get the document from our device to the printer? Most if us would probably think, oh, that’s easy. I’ll just pop it into Google Drive, or One Drive, or Apple Cloud. Then I’ll log in with the browser on the office center machine, print my stuff, and I’m done! I just did this at the hotel I’m staying at in Florida. Logged into the system, running Windows 10, and brought up Google Chrome. I looked at the photo icon on the upper right corner of the browser, and I see a picture of one of my colleagues…he never logged off from using it the day before! It turns out that closing Chrome does not log you out, even though logic says it should. I logged him off, logged in to Google, did my printing from content on Google Drive, and logged off.

Because neither Google nor Microsoft requires two-factor authentication, leaving an account logged in will allow the next system user to change your password. Once that’s done, everything in that account is theirs and not yours. Wow. Scary. Rebooting might fix it, but in normal operation, these systems hardly ever get rebooted.

Once logged off, I clicked the login icon on the upper right corner of the default Google Search screen. This took me to a list of the users that had previously logged into Google using this browser listing their name, their email address, and even their photo if their account had one linked to it. And there I was, as well as my colleague. At the bottom of the screen was a “remove login” selection. Clicking it placed an X next to each user on the list, and clicking the X removed that user from the list. Does it remove it from the system as well, or just from this list? I don’t know, and haven’t yet had time to research it.

I then moved to the machine next to this which I had used the day before. I looked at the list of Google users in Chrome, and there I was! I removed my entry and the other 10 on the screen—one at a time, of course—then I closed Chrome and logged out of the system.

I know it seems like a bit much expecting hotels to control this serious vulnerability on their office center system, but frankly most users will never even be aware of the danger, and if the hotels don’t take positive steps to control this it will never happen. I did some quick research to try to find a Chrome plugin to automatically log users out when the browser is closed, and to prevent the user list from being retained, but if there is such a beast, I didn’t find it. Clearly this is a need, and to be perfectly honest, one that the hotels and anyone else providing public access to Google logins on Chrome should expect to pay for. Free business plan: write it. Then write about it. Frankly, people are crazy not to protect their users like this.

—Ray Trygstad