Mark Ghosh who operates WeblogToolsCollection.com recently published an article that describes the terrible support experience he encountered with Google after he made the big mistake of falling for a phishing scam related to his Orkut account. After his Orkut account became compromised, he was unable to gain access to it as the flaw used by the hackers was an old, and well known bug in the way in which the Orkut application stored data in cookies.
The Orkut application stores cookies in such a way that if your cookie is ever recreated by someone else or transmitted to someone else, they can use that cookie to log in to Orkut as you. forever. No matter how you change your credentials, you have no recourse of regaining control. So if you ever get caught in a phishing scam that sends your password to someone else and they recreate your orkut_state cookie, they can login as you forever.
Mark then describes the various avenues he has tried in order to get support from anyone within the Google powerhouse and so far, he has been unsuccessful after two weeks of trying. While the initial blame can be given to Mark (which he admits) the way in which Google has handled the situation is completely unacceptable. After reading what happened to Mark, I’m feeling pretty good that I don’t rely on Google or any web based application to handle my sensitive information.
Have you had a similar experience with Google’s support system? Don’t you think issues like this really need to be addressed before we start leaving all sorts of information into the cloud?
I think Google (or any other company for that matter) should take responsibility of all the information that they store in cookies (or elsewhere) and how it is handled. If they do not help people falling prey to scams they can’t themselves be considered serious about our security and privacy.