Google Search Console automatically granting owner access to properties via Google Analytics

TL;DR

Dear Google,

Please do not automatically add owners to Google Search Console properties if they are in Google Analytics accounts. There is a massive security issue with this logic, which can seriously damage a website’s performance in Google if ‘random’ people are given access automatically.

Context of complaint

Last weekend (Saturday 23rd March) our holding account for Google Search Console properties received an email with the following subject:

Google Analytics security issue highlighting the problem discussed.

Now, there is nothing wrong with this subject, we get these notifications daily, and we’re very thankful to these awesome notification emails GSC sends so we can keep an eye on things.

However, due to how important these little notifications can be for technical SEO, I personally go through them one-by-one and raise flags with our various SEOs accordingly.

Why I’m complaining

Please see below example of the email. In short, Google Search Console has automatically added user owner status to the profile

Google systems have identified that your site is associated with a Google Analytics account… In order to help Analytics users access all their site data… The following users were granted OWNER status for your Search Console property.

Google-Analytics-Security-Issue-Email

Rightly or wrongly, there are people in Google Analytics that shouldn’t have access at owner level:

  1. Old employees
  2. Old companies
  3. Old contractors
  4. People with limited skills, but who are still owners

Why this is extremely dangerous

These people having Google Analytics access is a conversation for another day, but they should absolutely and categorically not be automatically be given owner access to a GSC property because of the following;

  1. They can take a website out of Google’s organic results
  2. They can break stuff which takes months, if not years to fix, including:
    1. Parameter configuration
    2. Disavow files
    3. Etc.

When it comes to random @gmail.com addresses which are outside of the control of organisations this means that at best may not use 2-step security, and at worst no longer be accessed by people whom the access was originally granted for Analytics.

I’m 100% for better access of data, but this is just dangerous.

Update – 28th March

It looks like I wasn’t the first to flag this. Merlinox tweeted this last month! 👇

Get in Touch

Post Navigation