Debugger

How to Stop ‘God Mode’ Abuse

Making ‘ghost user’ tools safer for customers starts with changing the frameworks that most apps and services are built on

Owen Williams
OneZero
Published in
4 min readMar 5, 2020

--

Image: PM Images/Getty Images

YYou might think that as long as you keep your password safe, you’re the only person who can access your online accounts. But Facebook, Twitter, and the majority of tech companies build “user impersonation” tools into their software that allow their employees to peer inside of any account — and act as though they’ve logged into that account — without the owner ever knowing. These tools are generally accepted by engineers as common practice and rarely disclosed to users.

Often called “impersonate mode,” “ghost user,” or “proxy user,” they allow customer service representatives to see a service through a user’s account in order to diagnose errors and help engineers build better products by showing them how they work inside real users’ accounts.

But this type of internal tool can be abused. Most famously, Uber employees used the app’s “God mode” to track the movements of everyone from politicians to ex-girlfriends. Lyft provided similar tools, which were also abused by employees. And Ring recently fired employees for watching customer videos, which they easily could have found using a user impersonation tool, though Ring did not disclose how the employees accessed videos.

Part of the problem is how the programming tools that many developers use to build apps and services handle their user impersonation features.

One of the most popular libraries for the programming language Ruby on Rails, ActiveAdmin, provides one such feature and has been installed over 7.9 million times. Laravel, a popular PHP-based language, offers a similar package called Spark as do many other development tools.

Out-of-the-box user impersonation tools provided by these frameworks typically don’t ask for users’ permission or even notify users when their account has been accessed. For those with administrator access, popping into accounts is as easy as clicking around the app.

A developer using Laravel Spark to build an app, for instance, manually “white lists” users with administrator access that would allow access…

--

--

Owen Williams
OneZero

Fascinated by how code and design is shaping the world. I write about the why behind tech news. Design Manager in Tech. https://twitter.com/ow