I was working on a review when this came across my desk. Here is the short story. A teacher noticed that a student had another person’s email open while on their Chromebook. At first, the thinking was that they had signed into that Chromebook as that person (which is not a great idea). Upon further investigation, it turns out that the student in question was properly signed into their own Chromebook but somehow was able to open up someone else’s Gmail next to their own.
Before I go and detail how this happened, this is simply wrong. I cannot think of having a student log into another student’s email account as a good thing. Whether they’re friends and share passwords (another bad idea) or not that should be squashed.
I am going to detail how this works and what you or your Google Admin needs to do to fix it.
How it works
I’m going to have some detailed screenshots to walk you through it. In these screenshots I will be signed into the Chromebook and will sign into a test account at the same time. Let’s get it on!
Once someone is signed on, they need to go to Chromebook settings (click on the time in the bottom right hand corner) and select Accounts (I’ve seen it as People as well). Then click on your account.
From here click on the + Add Google Account button.
A screen will pop up and ask you to sign into that account. It will want the username and password. We have restricted our Chromebooks so only students can sign into it. Despite that restriction, this would allow a student to sign into any Google account, even a personal account.
After that is done it will not open a new window or anything. You need to go to a Google service. In this example, I headed over to Google Classroom. Here it is with my one class. Click on your account icon in the top right hand corner. Then select the second account
A new tab will open and that person’s Google Classroom will be loaded. So I have two tabs of Google Classroom. One for me and one for the testing account.
Yeah – this is no good at all, but there is a way to plug this hole.
This will work for any Google service, Gmail, Drive, Classroom, Photos, Sites, etc.
It didn’t take too long to find and test. The reason why it worked for this blog post is because I am in the admin organizational unit (OU) and it does not have these restrictions. If I was trying to do it from a student account, it would fail as I will show you.
First head to the Google Admin control panel (admin.google.com). If you’re not an admin for your school or district then your journey ends here. Alert someone who has this access and let them know what the hole is and how to fix it.
If you do have this level of access you are going to want to get to the User & Browser Settings for your Chromebooks. To get there I go from Home —> Devices —> Settings —> User & browsers. Now find the OU with your students and select it.
Then scroll down to the section titled User experience.
Scroll down a little further until you see Sign-in to secondary accounts. You want this disabled!
Then save those settings and that problem (if it’s not it would have been) will be fixed.
Once the fix is in place, when a student tries to do this here is what they will see when they try to add the second account.
It’s tough to see but the + Add Google Account is greyed out (it is normally blue).
Kids are smart and curious and with enough time and motivation they can find ways around, certain security procedures, but this is bad. A student could send horrible emails to another student and start all sorts of problems. Maybe their parent has a Gmail account and they log into it and send/reply to emails from the school.
This just isn’t wrong, it is illegal (in most cases). Protect yourself, protect your students and be vigilant people.