arrow_back Return

Need better security around login with Google accounts

June 2, 2019
We have a shared laptop at the church that different operators would use each Sunday. Most of our users login using Google accounts. The way WE currently works, the first time someone uses a new Google account to login, they would need to enter their passwords. After the particular Google account has been used once, it is saved in WE's list of Google accounts. Next time someone launches WE, they can simply click "Log in with Google" to automatically login as the last used Google account without needing to provide any verification. Alternatively, they can choose "Sign in as a different user" and then "Login with Google", and they would be presented with a list of all Google accounts that have ever been used to login to WE on that computer. Then would then be able to click on any one of those accounts and login as that account without needing to provide any verification. This seems to defeat any point in having different access levels for different users, because with a shared church computer, anybody who has access to that computer would be able to login as any WE user.

Even more worrying is the Google slides feature. If a user chooses Google slides as a foreground for a cue, they would get a pop-up asking them to choose a Google account to access Google Drive and look for slides. Again, that list contains all the Google accounts that have ever been used to login to WE on that computer before, and the user can simply choose any of the accounts and grant permission to WE to "access all contents of Google Drive" for that account, again without having to provide any authentication.

This to me is a huge security hole that needs to be fixed ASAP.
Posted by Gideon
June 9, 2019
Also, it would be really nice to have the ability to remove a Google account from the list of accounts to choose from, especially important in light of the issues mentioned above.
Posted by Gideon
June 11, 2019
You can clear the past used Google accounts by going to Settings > Cache and clicking "Clear Cache".

We'll look into this and come up with a better solution for a Google logout. I appreciate the post, thank you!
Posted by Adam
June 12, 2019
Thanks Adam for the tip and for looking into it!
Posted by Gideon
June 18, 2019
As of version 4.41, logging out of Worship Extreme will also clear the third party user lists.
Posted by Adam
June 20, 2019
Awesome. Works as expected -- simply closing the app will keep the previous logins, but explicitly logging out via Settings menu will clear them. Thanks for the quick response and fix!
Posted by Gideon
Login to post a reply