If you're sitting at someone's computer you can do all sorts of stuff. Their calendar and email are probably already open. You can look at their photos. You can even listen to their music.<p>Update: I should add that this probably should be optional since it goes against a reasonable expectation. But considering it requires an "attacker" to have physical control of the computer, I don't find it super serious. Dropbox behaves the same way (though I guess you usually don't see anything else on the web that you can't on the desktop).
Google Drive saves your login credentials, or at least some sort of authentication token, otherwise you'd have to enter them every time at launch.<p>Naturally, anyone with access to your computer could use those to access your Google Account. Google just made it more convenient for you, the authorized user, to do so, by adding this feature. It does not reduce security in any way, as even without the option to log in to your account on the web, the authentication information for Google Drive will still be on your machine unless you want to log in every time.<p>Of course, they could use a special authorization token _just_ for Google Drive, but that's not how Google's services have ever worked.
According to Google this is not an issue but rather it was specifically designed this way:<p><a href="http://productforums.google.com/d/msg/drive/SpN5gNF33Ys/3N0Nr_LhalUJ" rel="nofollow">http://productforums.google.com/d/msg/drive/SpN5gNF33Ys/3N0N...</a>
Hello gigantic security backdoor!<p>This probably happens because Google Drive's windows service caches your credentials (or the special password you 2-factor users have to make for programs that can't do 2-factor), in order to authenticate and sync between cloud and desktop.<p>Clicking the link uses those cached creds to authenticate you and pass you to the website...then since you're already authenticated, clicking "Gmail" takes you to your inbox.<p>So maybe the credentials we give to Drive shouldn't have permissions to Gmail? Can we set the permissions for the 2-factor passwords we create? Why not?
This just in... every web browser is a security back door to all your web apps!<p>If you sign in to a web service and click "remember this computer", close the browser, get up and walk away, and someone else sits down at your logged in computer they have access to all your web stuff!<p>This is a non-story. Working as intended.
If I log out of my Google account I get logged out of the Google Drive client too, so I'm not sure there's a problem here.<p>[edit] Oh, wait. That's what happened the <i>first</i> time I tried, but the next log out worked exactly as described in the article.
This is a bunch of alarmist nonsense. For starters this is no "backdoor" it's front and center, and the author acts as if the concept of locking a user profile behind a password on the OS level is a completely foreign one.<p>Client side software devs assume that a user set up a local password because there is only so much that can be done for the user, and otherwise this makes this sort of software very cumbersome to use on a continuous bases.
With the new unified Google, users should think of local Drive as local Google. It is hard to say if web based logout should trigger a local client app logout, outside the web browser. Leaky abstractions FTL.