• Home
  • About

peekay

random stuff about software, infrastructure, security, etc

Feeds:
Posts
Comments
« Chinks in the Armor
Update to Google Docs security issues »

Security issues with Google Docs

March 26, 2009 by Ade

[Update 11/13: Please see my follow-up to these issues.]

[Update 3/26: I’m now in contact with Google Security.]

[Update 3/28: I’m aware of Google’s official response to the issues raised in this blog.  I am continuing to share my findings with Google Security and appreciate the excellent feedback they are providing me.  It would be premature for me to provide further comment at this time. ]

If you can see the image below, you’ve just hacked Google Docs:

The above image should not be accessible to you.  It’s supposed to be embedded solely within a protected Google Docs document, which I have not shared. In fact, I’ve actually deleted that document.  It shouldn’t even exist anymore.  Yet here you are, viewing my precious picture in all its glory, nakedly served by Google servers,  outside of the protective Docs environment.

What went wrong?  In light of the recent Google Docs privacy glitch, let’s take a look at three privacy issues highlighting problems with the way documents are shared:

1. No protection for embedded images

When you embed (“insert”) an image from your computer into a Google Document, that image is “uploaded” onto Google servers and assigned an id.   From then on, the image is accessible via a URL.  For example, the URL for the above image is:

docs.google.com/File?id=dtfqs27_1f3vfmkcz_b

However, unlike the containing document, embedded images are not protected by the sharing controls.  That means anyone with access to the URL can view the image.  If you’ve shared a document containing embedded images with someone, that person will always be able to view those images.  Even after you’ve stopped sharing the document.  Or as the image above demonstrates, even after you’ve deleted the document.

That’s counter-intuitive behavior for most users.   If you embed an image into a protected document, you’d expect the image to be protected too.  If you delete a document, you’d expect any embedded resources to be deleted also. The end result is a potential privacy leak.

2. File revision flashback

It’s 4am and you’re been working all night on a document.   This document contains a Docs diagram, blueprinting that million-dollar-idea you have in your head.

You want to share this document with potential suppliers, but you don’t want to reveal all of your secrets just yet.   So you diligently redact the diagram, removing all the sensitive parts of the blueprints.  Satisfied that your idea is safe, you share the document (view-only).

Next thing you know, your idea has been stolen.  A Chinese company quickly ships knockoffs based on your complete blueprints.  What happened?

Unknown to you, anyone you shared the document with can view any version of any diagram embedded in the document.  The fact that you’ve deleted sensitive parts of the diagram doesn’t matter, because the viewer can see the older versions.

How?  Quite easy.  In Google Docs, a diagram is a set of instructions that’s rasterized into an image (in PNG format).  Each time you modify a diagram, a new raster image is created, but the old versions remain accessible via a URL, in the format:

docs.google.com/drawings/image?id=1234&...&rev=23&ac=1

To view any previous version, just change the “rev=” number above.

This problem is reminiscent of the old Microsoft Word Fast Save issue, and will have similar privacy implications if not changed.

3. I’ll help myself to your Docs, thanks

So you learned your lesson from above, and stopped sharing your documents.  You’ve kicked everyone out from your Docs.  This negates the purpose of Docs somewhat, but you’d rather be safe than sorry.

Working solo, you happily add new ideas to your secret document, patting yourself on the back before you go on a well-deserved vacation.

Too bad while you’re sipping piña coladas on the beach, those same suppliers you’ve just kicked out have added themselves back to your Docs and stealing your new ideas!  What?

It’s true.  Even if you unshare a document with a person, that person can in certain cases still access your document without your permission, a serious breach of privacy.  For now I’m withholding the mechanics of when/why/how this happens, pending further research and feedback from Google if any.

NOTE:

These findings are based upon my investigations stemming from Issue #1 above.  I disclosed this particular issue to Google on March 18.  I tend to follow rfpuppy’s Full Disclosure Policy and so waited five business days for Google to comment.  I’ve yet received any response from Google other than the usual automated, canned reply (which I don’t consider a real response.)

Advertisement

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...

Related

Posted in security, Uncategorized | Tagged google, Google Docs, privacy | 27 Comments

27 Responses

  1. on March 26, 2009 at 12:55 pm More Security Loopholes Found In Google Docs

    […] a whole new meaning to its mission to make the world’s information universally accessible. On his blog on software, infrastructure and security, Barkah outlines no less than three issues that he […]


  2. on March 26, 2009 at 4:03 pm Holes in the cloud: consultant finds more flaws in Google Docs | TekNow

    […] As it turns out, that was just the tip of the iceberg. Security consultant Ade Barkah has found several more gaps, and they’re all just as alarming – if not more so.Issue #1 appears right at the top of his blog […]


  3. on March 26, 2009 at 4:39 pm You’ve Just Hacked Google Docs | GWCheck.log

    […] Check out this breaking news ! _ […]


  4. on March 26, 2009 at 5:16 pm Privacy Lives » Blog Archive » TechCrunch.com: More Security Loopholes Found In Google Docs

    […] new meaning to its mission to make the world’s information universally accessible. On his blog on software, infrastructure and security, Barkah outlines no less than three issues that he […]


  5. on March 26, 2009 at 6:58 pm Googleドキュメントにさらにセキュリティーホール発見

    […] セキュリティー・コンサルタントのAde Barkahは、Googleドキュメントにいくつかの重大なセキュリティー上の問題があることをわれわれに知らせてくれた。Googleドキュメントは世界最大の検索エンジン企業GoogleがMicrosoftOfficeのオンライン版として提供している文書作成サービスで、世界中の情報をすべてインターネット上でアクセス可能にするというGoogleが自らに課している使命を果たすための重要なファクターになっている。ソンフトウェア、インフラストラクチャー、セキュリティーについての自身のブログでBarkahはGoogleドキュメントのセキュリティーを調査しているうちに、3種類もの問題を発見したとして概要を説明している。 […]


  6. on March 26, 2009 at 7:36 pm rjleaman

    That’s just alarming. And the next obvious question is, what other Google services have privacy and security holes – and what other non-Google doc-sharing services might be similarly vulnerable?


  7. on March 26, 2009 at 8:00 pm Add Drawings to Google Docs - and Serious Security Holes Too! | Blippitt | Tech News | Affiliate Marketing

    […] have been three issues that have been discovered while looking into potential security lapses with the […]


  8. on March 27, 2009 at 7:11 am Leather Donut

    You just found out how shitty Google really is at security. Their GSA is a freaking joke.


  9. on March 27, 2009 at 5:50 pm Voyagerfan5761

    I know of a privacy hole in Google Accounts where the name set in the account settings can be revealed. Tony Ruscoe of Google Blogoscoped also knows about it. The number of holes is rather disturbing.


  10. on March 28, 2009 at 12:19 am yougetwhatyoupayfor

    does this really surprise anyone? it’s cheaper and faster, just not safer. nice work on finding the bug, though.


  11. on March 28, 2009 at 7:21 pm ahab

    The sad fact is that much of what Ade Barkah is revealing has been discussed over and over again in the Google Docs help forums for the last couple of years.

    The Google Docs team however decided not to take much action and thus lowered the level of usability of Google Docs to that of a toy application only good enough for dad, mom and the children to play with.

    Business users are supposed to be using Google Docs in conjunction with Google Apps which offers slightly more security; provided the admin and users made use of it!

    Unfortunately the user interface of Google Docs lacks any warnings and help links that might have educated the Google Docs users to avoid the worst security issues (i.e. the ones related to sharing) and the help in general is often ambiguous and void of any warnings.

    Google Docs is a good web application but for some unknown reason the main accent has been to put it into the market as ‘easy to use’ instead of as a ‘secure way to share’. We can only hope Google and the Google Docs team learns from this and makes security a more important issue; they have had ample time to prepare for it.

    André H Banen (a.k.a. ahab)


  12. on March 30, 2009 at 3:05 pm Google weist Kritik an Sicherheit von Text und Tabellen zurck - Telekommunikation | News | ZDNet.de

    […] […]


  13. on March 30, 2009 at 4:47 pm Privatlivet er offentligt med Google Docs: Voipbloggen

    […] Det ser ud til at der er alvorlige sikkerhedsproblemer med Google Docs. Jeg kan ikke sige at jeg er overrasket over at der er problemer, men jeg er overrasket over deres alvor og hvor banale problemerne er. Læs mere om Google Docs sikkerhedsproblemer. […]


  14. on March 31, 2009 at 6:44 am Jonas B.

    I don’t use Google Docs myself but critique should always be fair, and I get the feeling this isn’t.

    1. The necessary key _is_ protected by the access lists, no? Then the image is hardly public. Had it been named “password” instead of “id”, would that have satistied you?

    2. All document programs including Microsofts stores full history. That blueprint would have been stolen from a .doc as well if you gave out your document. That’s why we give out PDFs.

    3. This sounds like it may be a real issue, but since you don’t give any information we don’t know.


  15. on April 1, 2009 at 4:54 pm Google Docs and security « A Pretty Simple blog

    […] has again rocked Google’s boat. Only last week, security consultant Ade Barkah wrote a blog post about the security issues with Google Docs. In it, he […]


  16. on August 19, 2009 at 6:26 pm Google Enables Document Sharing Among Groups « Sathish's Blog

    […] as sharing. For example, in March, Ade Barkah, founder of IT consultancy Blue Wax, published a blog post warning about potentially risky implementations of image handling and document sharing in Google […]


  17. on August 31, 2009 at 1:14 pm Is It Secure? Google Docs for Journalists: Part 3 | Digital News Journalist

    […] security blunder back in 2007, when the software was still new. And security consultant Ade Barkah expressed concerns in March ‘09 about certain Docs features, to which Google has responded. These are good reminders that no software system is perfect, nor is […]


  18. on November 2, 2009 at 6:03 pm Unos cambios en el blog « Blog numismático

    […] parece ser que se ajusta a mis necesidades a pesar de los errores de seguridad que indican aquí y aquí. Confío en que para una aplicación tan sencilla nadie intentará buscarme las […]


  19. on November 13, 2009 at 11:32 am Update to Google Docs security issues « peekay

    […] 13, 2009 by peekay Back in March I wrote about a few security issues with Google Docs while keeping some details […]


  20. on March 16, 2010 at 11:47 pm EL DOCS « Majedi's Blog

    […] igual que sugiere Ade Barkah (la persona que ha descubierto este incidente) en este post de su blog personal, hemos creado un nuevo documento de texto, hemos insertado una imagen, hemos compartido dicho […]


  21. on May 17, 2010 at 1:40 pm spirulinaopowder

    Hmm. thanks for sharing. I’ve been using Google Docs for a year and hadn’t thought about security issues until now.


  22. on May 18, 2010 at 4:22 pm How Safe Are Your Google Docs? | oDesk.com

    […] the following three security holes came to the attention of Ade Barkah and several other users. On his blog, Barkah goes in to further detail, but in a […]


  23. on May 18, 2010 at 11:11 pm Paul

    wow, OP is a litle over reacting-

    1.of course i would use google docs as my primary method of sharing my multimillion dollar blueprint that wasn’t patented yet with the rest of the world on a public domain..

    @Spirul
    Uve been giving your data to a megacorp for a year and not worried about its security?


  24. on February 9, 2011 at 11:04 pm Chuck

    It’s feb 2011 and the image issue still occurs.

    I am using it to my advantage on my wiki by making How To’s with screen shots in google docs and then copy/paste the entire doc into the wiki edit box and the images are visible even though the doc was never shared.


  25. on March 17, 2011 at 12:20 am Privacy and Security in the Cloud | AKISIT

    […] a hosting provider’s company. Add to this that many widely used cloud services, like DropBox and Google Apps, have experienced security issues within the services themselves that compromises security of […]


  26. on February 6, 2012 at 3:11 am encgoo

    If you worry about the security of the documents you stored in Google Docs, try EncGoo. It is an iPad application that encrypts documents before uploading it to Google Docs. You document is protected by an AES-256 key!


  27. on August 30, 2012 at 4:07 pm Web 2.0 and Personal Productivity - David Allan Thompson on Enterprise 2.0

    […] personal experience, I would say that despite its faults (Formatting issues, Security concerns, Crash-causing bugs and some horrendous misalignment issues), Google Docs is one of the most […]



Comments are closed.

  • Archives

    • March 2016 (1)
    • February 2012 (1)
    • December 2011 (1)
    • November 2009 (2)
    • March 2009 (4)
    • September 2008 (3)
  • Categories

    • iPhone (3)
    • java (1)
    • security (9)
    • Uncategorized (4)
  • Pages

    • About

Create a free website or blog at WordPress.com.

WPThemes.


Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Follow Following
    • peekay
    • Already have a WordPress.com account? Log in now.
    • peekay
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
%d bloggers like this: