[Update 11/13: Please see my follow-up to these issues.]
[Update 3/26: I’m now in contact with Google Security.]
[Update 3/28: I’m aware of Google’s official response to the issues raised in this blog. I am continuing to share my findings with Google Security and appreciate the excellent feedback they are providing me. It would be premature for me to provide further comment at this time. ]
If you can see the image below, you’ve just hacked Google Docs:
The above image should not be accessible to you. It’s supposed to be embedded solely within a protected Google Docs document, which I have not shared. In fact, I’ve actually deleted that document. It shouldn’t even exist anymore. Yet here you are, viewing my precious picture in all its glory, nakedly served by Google servers, outside of the protective Docs environment.
What went wrong? In light of the recent Google Docs privacy glitch, let’s take a look at three privacy issues highlighting problems with the way documents are shared:
1. No protection for embedded images
When you embed (“insert”) an image from your computer into a Google Document, that image is “uploaded” onto Google servers and assigned an id. From then on, the image is accessible via a URL. For example, the URL for the above image is:
However, unlike the containing document, embedded images are not protected by the sharing controls. That means anyone with access to the URL can view the image. If you’ve shared a document containing embedded images with someone, that person will always be able to view those images. Even after you’ve stopped sharing the document. Or as the image above demonstrates, even after you’ve deleted the document.
That’s counter-intuitive behavior for most users. If you embed an image into a protected document, you’d expect the image to be protected too. If you delete a document, you’d expect any embedded resources to be deleted also. The end result is a potential privacy leak.
2. File revision flashback
It’s 4am and you’re been working all night on a document. This document contains a Docs diagram, blueprinting that million-dollar-idea you have in your head.
You want to share this document with potential suppliers, but you don’t want to reveal all of your secrets just yet. So you diligently redact the diagram, removing all the sensitive parts of the blueprints. Satisfied that your idea is safe, you share the document (view-only).
Next thing you know, your idea has been stolen. A Chinese company quickly ships knockoffs based on your complete blueprints. What happened?
Unknown to you, anyone you shared the document with can view any version of any diagram embedded in the document. The fact that you’ve deleted sensitive parts of the diagram doesn’t matter, because the viewer can see the older versions.
How? Quite easy. In Google Docs, a diagram is a set of instructions that’s rasterized into an image (in PNG format). Each time you modify a diagram, a new raster image is created, but the old versions remain accessible via a URL, in the format:
To view any previous version, just change the “rev=” number above.
This problem is reminiscent of the old Microsoft Word Fast Save issue, and will have similar privacy implications if not changed.
3. I’ll help myself to your Docs, thanks
So you learned your lesson from above, and stopped sharing your documents. You’ve kicked everyone out from your Docs. This negates the purpose of Docs somewhat, but you’d rather be safe than sorry.
Working solo, you happily add new ideas to your secret document, patting yourself on the back before you go on a well-deserved vacation.
Too bad while you’re sipping piña coladas on the beach, those same suppliers you’ve just kicked out have added themselves back to your Docs and stealing your new ideas! What?
It’s true. Even if you unshare a document with a person, that person can in certain cases still access your document without your permission, a serious breach of privacy. For now I’m withholding the mechanics of when/why/how this happens, pending further research and feedback from Google if any.
These findings are based upon my investigations stemming from Issue #1 above. I disclosed this particular issue to Google on March 18. I tend to follow rfpuppy’s Full Disclosure Policy and so waited five business days for Google to comment. I’ve yet received any response from Google other than the usual automated, canned reply (which I don’t consider a real response.)