I can't reproduce this either. What I can reproduce is semi-logging in three accounts (I see them in the list but they don't have gmail, so they're grayed out).
In any case, I doubt the author tried this out. All multiple signon does is allow you to easily switched between accounts which you are logged in. Logging out of one doesn't affect the others, and changing the password of one doesn't change the password of any other account. It's basically a glorified switcher, and there's no vulnerability to speak of. I know this because I pseudo-linked the accounts, cleared all cookies and logged back in, and I was only linked in one account versus the three I had before.
It would be good if people reporting vulnerabilities actually tested them first :/
OK. It's true that I haven't tried this recently, but I did see this happen with one of my users a few weeks ago where I was suddenly in that user's personal email account on a machine they'd never used.
Hmm, this is odd. Clearing the cookies cleared all the signins for me. We'll have to wait and see, I guess (wait for a user with multiple Gmail accounts, I mean).
Why on earth would you link your work and private accounts? This should be titled 'How many clicks does it take assuming you use gmail and you use google apps at work and you link your accounts together.
Scary indeed, actually prompted me to reset my password for gmail, it has been too simple for too long.
I remember cases here in Germany, where big companies were spying on their employees, so the scenario of the "evil sysadmin" might even include the sysadmin who is being coaxed by his superiors.
Google needs to be crystal clear to Apps users about what access their employers have to their account. I am surprised that they can change passwords. What else can they do? Read mail sent outside the company? Read unsent drafts?
This article lacks substance and is overly alarmist. The best advice still come back to: use a strong password for your work and personal account. challenge and investigate any sysadmin that changes your password without request.
