Google Denies Severity Of Google Docs Flaw

A security consultant has claimed that weaknesses in Google Docs could allow users to view another users’ shared documents even after their access rights have been taken away. Google has said it is investigating, but does not believe this is a serious threat to users.

In his blog, security consultant Ade Barkah published information about three privacy issues in Google Docs tied to the system’s content sharing controls. The most serious of the issues is not described in detail, although he contends that it could be abused in certain circumstances to allow someone to access a document even after that person’s access rights have been taken away.

Barkah demonstrated that embedded images in documents can still be accessed by people with whom the documents had been shared even if that document is no longer shared, or even after it has been deleted.

“When you embed (‘insert’) an image from your computer into a Google Document, that image is ‘uploaded’ onto Google servers and assigned an ID,” Barkah wrote. “From then on, the image is accessible via a URL.”
In addition, when a document contains a Docs diagram, it is possible for people with whom that document was shared as a collaborator to see the diagram even if it was redacted.

“In Google Docs, a diagram is a set of instructions that’s rasterised into an image (in PNG format),” he wrote. “Each time you modify a diagram, a new raster image is created, but the old versions remain accessible via a URL, in the format: docs.google.com/drawings/imageoeid=1234&…&rev=23&ac=1. To view any previous version, just change the ‘rev=’ number above.”

In fairness to Google, the examples involve documents that have already been shared, which assumes a certain degree of trust.

“We take the security of our users’ information very seriously and are investigating the concerns raised by the researcher,” a Google spokesperson said. “Based on the information we’ve received, we do not believe there are significant security issues with Google Docs. We will share more information as soon as it’s available.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago