Google+ bug can expose IM conversations

Updated. A bug in the Google (s GOOG) Talk integration of Google+ can give users under some circumstances access to the IM contacts and conversations of other users on shared computers, making it possible to eavesdrop on chat sessions in real time. Google has acknowledged the issue and said it is working on a fix. The bug can also affect users with multiple Google accounts, which suggests Google+ may need some way of linking identities across accounts.

Google+ is offering its users the ability to have IM conversations through a Google Talk integration that’s very similar to the way the service is integrated within GMail. Part of that integration is regular contact with Google’s IM servers, which seems to be the core of this particular bug. Here’s how it works:

Let’s say Peter logs into GMail and Google+, then leaves both windows open on his computer. Peter’s Wi-Fi connection goes out for a minute, causing his Google Talk session within Google+ to lose sync and wait a few minutes to reconnect. Mary now borrows his computer, logs Peter out of GMail and logs into her own GMail account. The Google Talk session within Peter’s Google+ page finally decides it’s time to call home – and then automatically reconnects under Mary’s Google Talk account.

Mary logs out of her email, closes the browser window she used and hands the computer back to Peter. He’ll find now that he is still logged into Mary’s Google Talk account within his Google+ page. To make matters worse, any IM message Mary sends from a different device automatically gets relayed to Peter on his machine.

A Google spokesperson told me today that this looks like a rare bug that is currently being addressed. He also said that Google generally recommends to always log out of your Google account if you share a computer. However, this wouldn’t have helped Mary, since she dutifully logged out of GMail at the end of her session, unaware of the fact that her IM session persisted within Peter’s Google+ page. Correction: Turns out that logging out of your GMail account actually does force the Google Talk session to disconnect a few seconds later. However, Mary’s Google Talk session will persist if Mary simply closes her browser window and Peter uses another login screen instance to access his GMail account. In fact, Peter will be able to access both his and Mary’s Google Talk account simultaneously without still being logged into her GMail account.

To be fair, it’s unlikely that many people will run into this issue — even though it happened to me yesterday, resulting in some very confused IM exchanges between me and my wife’s work colleagues before we finally figured out what had happened. But a Google+ user has told us that the same has happened to him with his own multiple GMail accounts, suggesting that Google may have to find a way to unify multiple accounts under one Google+ identity.

Google+ users have already been vocal about the inability to access the service with enterprise Google accounts, forcing users to revert back to their personal emails for Google+ usage. Google has said that it will add enterprise support to Google+ in the future, but hasn’t given a timeline for doing so.

It might be a good idea for Google to take the roll-out of enterprise access one step further, allowing people to link their personal and professional accounts under one Google+ identity. This would not only allow users to share content with contacts across their multiple Google accounts, but also simplify the discovery of Google+ users within the network, many of which now show up with multiple but separate Google accounts.

Update (08/11/2011): A Google spokesperson told me that the bug in question has since been fixed.