Jajodia has two domains that he bought from GoDaddy via Google Apps. He calls then ab1 and ab2. He logged into ab1 via Google Apps and did what he needed to do. Then he wanted to move to ab2, so simply edited the URL in the browser from http://google.com/a/cpanel/ab1.com... to http://google.com/a/cpanel/ab2.com... and proceeded. He then logged into the second account, ab2 – but was shown the login details for the first.
This was a puzzle until he noticed that by editing the first part of the URL while successfully logged in to ab1, the last part of the URL still referenced ab1. In short, while logged in to Google Apps, editing the URL could provide login details for a different account. Jajodia tested this process against another user’s account – one that had already been reported as hacked and down, and it “was really shocking that I was actually able to see [othersite]’s Domain Name Manager login details.”
He reported the issue to Google’s support team, but wasn’t taken seriously, “and I also heard one of them where laughing when I was trying to explain them about it,” he writes in his blog. In the end he made a “screen-cast using screener.com and showed them the video”, and finally he was taken seriously. “Then the problem got solved in few hours, however I never heard from them again even I sent them an email asking for an update about the same but didn’t received any reply from them.”
Strangely, the day after he went public with this blog, he received an email from Google’s Adam: “Hey – I understand you reported an interesting bug to our Google Apps engineers - much appreciated! Just wanted to let you know that I’ve added this issue to our weekly panel meeting for next Tuesday. We’ll consider this under our reward program...”
And the moral of this story? Do good; but you may have to shout to have that good recognized.