Security is always a tricky balance between usability and protection. If you err too far on the side of protection, people will find using your product slow and painful and they might not use it. But if you err on the side of being too permissive, you open people’s machines and data to possible malicious behavior.
Google Drive’s desktop client for Windows and OS X has recently been discovered to be erring too far on the side of usability. If a user chooses to visit Google Drive on the web, it automatically logs them into other Google services such as Email and Calendar, rather than just Google Drive. This behavior occurs even if a user is previously logged out or if they have 2-Factor Authentication enabled.
Being able to view your Google Drive on the web, even if you have the desktop client installed, can certainly be a help at times. However, Google Drive should ask their users to authenticate before proceeding if they’re not presently logged in. And it definitely seems like poor form to automatically log them into other Google services as well. Thankfully, this problem is limited to shared machine rather than being open to remote machines. But it’s likely people would not want other folks (even those they share a computer with) to be able to access confidential things such as their email or calendar without explicit permission.
Until this issue is fixed, people will need to be extra vigilant about logging off from all Google services before letting other people use their machine. This is always a good thing to remember to do when you’re using a shared machine, but people may not normally think to do this when they’re using apps or desktop clients rather than going directly to websites.
