Potential security problem due to the use of a non-linked authentication Service(?)

Hello there,

I’m just experimenting with the Tailscale-Service, and stumbled about a potential Security-Problem(?). I‘m originally using an Google-Account for Authentication. It happens that I confused my logins, and so used my Microsoft-Account for Authentication. Through this Authentication, it seems that I’m now part of a foreign network that I don’t know about. I’m able to see three foreign Hosts that I can also Ping and access Services on. The Admin-Panel shows me the Mail-Adress of the Accounts-Admin, that I already tried to contact unsuccessfully.

How is it possible that I’am part of a foreign network with a Login-Name that I did’t register for? The only thing the affected Network and I have in common, is that we both use the *.outlook.de-Domain for our Authentication. It seems unlikely that the Admin accidentally added my Mail-Adress to his private Network.

Does anyone know something about this?

André

This was a known issue that was the highest priority for our team. It should be resolved as of 1/4/2021. If it hasn’t please email support@tailscale.com so our engineers can take a deeper look for you.

Hey Laura,

thank you for your reply! It seems that the Issue has been resolved, at least there are no more foreign Hosts visable within my Account.

Is it possible to share some technical Explaination regarding the cause of this Problem?

Best regards,

André

Hi Andre,

Tailscale’s default behaviour is to separate individual people in domains like @gmail.com or @hotmail.com into their own networks, but to join employees of corporate domains like @tailscale.com into a single network with all their co-workers. This works well most of the time, but when Microsoft adds more domains for their consumer accounts, we don’t always have the complete list, and so it gets accidentally treated as a corporate domain instead of a one-network-per-email consumer domain. The domain you were using was one of the ones that we missed.

We added several new Microsoft domains in the last few days. Longer term, we have a new system planned that will avoid this problem entirely, allowing you to join multiple @gmail.com or other single-user accounts into a network, or create multiple separate networks on a corporate domain.

Thank you for sharing the Information!

I think I just had this problem with my hotmail.it account.
I signed up previously using email+password, today it asked me to login with Microsoft and I got placed into another network, owned by another hotmail.it user (I can see their email).

Thanks for reporting this. I will split hotmail.it and let you know when that’s been completed. I’ll also check that we haven’t missed any other hotmail country code domains.

This should be resolved now for hotmail.it, as well as about a dozen other hotmail domains that have no users yet.