[Update 11/13: Please see my follow-up to these issues.]
[Update 3/26: I’m now in contact with Google Security.]
[Update 3/28: I’m aware of Google’s official response to the issues raised in this blog. I am continuing to share my findings with Google Security and appreciate the excellent feedback they are providing me. It would be premature for me to provide further comment at this time. ]
If you can see the image below, you’ve just hacked Google Docs:
The above image should not be accessible to you. It’s supposed to be embedded solely within a protected Google Docs document, which I have not shared. In fact, I’ve actually deleted that document. It shouldn’t even exist anymore. Yet here you are, viewing my precious picture in all its glory, nakedly served by Google servers, outside of the protective Docs environment.
What went wrong? In light of the recent Google Docs privacy glitch, let’s take a look at three privacy issues highlighting problems with the way documents are shared:
1. No protection for embedded images
When you embed (“insert”) an image from your computer into a Google Document, that image is “uploaded” onto Google servers and assigned an id. From then on, the image is accessible via a URL. For example, the URL for the above image is:
docs.google.com/File?id=dtfqs27_1f3vfmkcz_b
However, unlike the containing document, embedded images are not protected by the sharing controls. That means anyone with access to the URL can view the image. If you’ve shared a document containing embedded images with someone, that person will always be able to view those images. Even after you’ve stopped sharing the document. Or as the image above demonstrates, even after you’ve deleted the document.
That’s counter-intuitive behavior for most users. If you embed an image into a protected document, you’d expect the image to be protected too. If you delete a document, you’d expect any embedded resources to be deleted also. The end result is a potential privacy leak.
2. File revision flashback
It’s 4am and you’re been working all night on a document. This document contains a Docs diagram, blueprinting that million-dollar-idea you have in your head.
You want to share this document with potential suppliers, but you don’t want to reveal all of your secrets just yet. So you diligently redact the diagram, removing all the sensitive parts of the blueprints. Satisfied that your idea is safe, you share the document (view-only).
Next thing you know, your idea has been stolen. A Chinese company quickly ships knockoffs based on your complete blueprints. What happened?
Unknown to you, anyone you shared the document with can view any version of any diagram embedded in the document. The fact that you’ve deleted sensitive parts of the diagram doesn’t matter, because the viewer can see the older versions.
How? Quite easy. In Google Docs, a diagram is a set of instructions that’s rasterized into an image (in PNG format). Each time you modify a diagram, a new raster image is created, but the old versions remain accessible via a URL, in the format:
docs.google.com/drawings/image?id=1234&...&rev=23&ac=1
To view any previous version, just change the “rev=” number above.
This problem is reminiscent of the old Microsoft Word Fast Save issue, and will have similar privacy implications if not changed.
3. I’ll help myself to your Docs, thanks
So you learned your lesson from above, and stopped sharing your documents. You’ve kicked everyone out from your Docs. This negates the purpose of Docs somewhat, but you’d rather be safe than sorry.
Working solo, you happily add new ideas to your secret document, patting yourself on the back before you go on a well-deserved vacation.
Too bad while you’re sipping piña coladas on the beach, those same suppliers you’ve just kicked out have added themselves back to your Docs and stealing your new ideas! What?
It’s true. Even if you unshare a document with a person, that person can in certain cases still access your document without your permission, a serious breach of privacy. For now I’m withholding the mechanics of when/why/how this happens, pending further research and feedback from Google if any.
NOTE:
These findings are based upon my investigations stemming from Issue #1 above. I disclosed this particular issue to Google on March 18. I tend to follow rfpuppy’s Full Disclosure Policy and so waited five business days for Google to comment. I’ve yet received any response from Google other than the usual automated, canned reply (which I don’t consider a real response.)
peekay 
[…] a whole new meaning to its mission to make the world’s information universally accessible. On his blog on software, infrastructure and security, Barkah outlines no less than three issues that he […]
[…] As it turns out, that was just the tip of the iceberg. Security consultant Ade Barkah has found several more gaps, and they’re all just as alarming – if not more so.Issue #1 appears right at the top of his blog […]
[…] Check out this breaking news ! _ […]
[…] new meaning to its mission to make the world’s information universally accessible. On his blog on software, infrastructure and security, Barkah outlines no less than three issues that he […]
[…] セキュリティー・コンサルタントのAde Barkahは、Googleドキュメントにいくつかの重大なセキュリティー上の問題があることをわれわれに知らせてくれた。Googleドキュメントは世界最大の検索エンジン企業GoogleがMicrosoftOfficeのオンライン版として提供している文書作成サービスで、世界中の情報をすべてインターネット上でアクセス可能にするというGoogleが自らに課している使命を果たすための重要なファクターになっている。ソンフトウェア、インフラストラクチャー、セキュリティーについての自身のブログでBarkahはGoogleドキュメントのセキュリティーを調査しているうちに、3種類もの問題を発見したとして概要を説明している。 […]
That’s just alarming. And the next obvious question is, what other Google services have privacy and security holes – and what other non-Google doc-sharing services might be similarly vulnerable?
[…] have been three issues that have been discovered while looking into potential security lapses with the […]
You just found out how shitty Google really is at security. Their GSA is a freaking joke.
I know of a privacy hole in Google Accounts where the name set in the account settings can be revealed. Tony Ruscoe of Google Blogoscoped also knows about it. The number of holes is rather disturbing.
does this really surprise anyone? it’s cheaper and faster, just not safer. nice work on finding the bug, though.
The sad fact is that much of what Ade Barkah is revealing has been discussed over and over again in the Google Docs help forums for the last couple of years.
The Google Docs team however decided not to take much action and thus lowered the level of usability of Google Docs to that of a toy application only good enough for dad, mom and the children to play with.
Business users are supposed to be using Google Docs in conjunction with Google Apps which offers slightly more security; provided the admin and users made use of it!
Unfortunately the user interface of Google Docs lacks any warnings and help links that might have educated the Google Docs users to avoid the worst security issues (i.e. the ones related to sharing) and the help in general is often ambiguous and void of any warnings.
Google Docs is a good web application but for some unknown reason the main accent has been to put it into the market as ‘easy to use’ instead of as a ‘secure way to share’. We can only hope Google and the Google Docs team learns from this and makes security a more important issue; they have had ample time to prepare for it.
André H Banen (a.k.a. ahab)
[…] […]
[…] Det ser ud til at der er alvorlige sikkerhedsproblemer med Google Docs. Jeg kan ikke sige at jeg er overrasket over at der er problemer, men jeg er overrasket over deres alvor og hvor banale problemerne er. Læs mere om Google Docs sikkerhedsproblemer. […]
I don’t use Google Docs myself but critique should always be fair, and I get the feeling this isn’t.
1. The necessary key _is_ protected by the access lists, no? Then the image is hardly public. Had it been named “password” instead of “id”, would that have satistied you?
2. All document programs including Microsofts stores full history. That blueprint would have been stolen from a .doc as well if you gave out your document. That’s why we give out PDFs.
3. This sounds like it may be a real issue, but since you don’t give any information we don’t know.
[…] has again rocked Google’s boat. Only last week, security consultant Ade Barkah wrote a blog post about the security issues with Google Docs. In it, he […]
[…] as sharing. For example, in March, Ade Barkah, founder of IT consultancy Blue Wax, published a blog post warning about potentially risky implementations of image handling and document sharing in Google […]
[…] security blunder back in 2007, when the software was still new. And security consultant Ade Barkah expressed concerns in March ‘09 about certain Docs features, to which Google has responded. These are good reminders that no software system is perfect, nor is […]
[…] parece ser que se ajusta a mis necesidades a pesar de los errores de seguridad que indican aquí y aquí. Confío en que para una aplicación tan sencilla nadie intentará buscarme las […]
[…] 13, 2009 by peekay Back in March I wrote about a few security issues with Google Docs while keeping some details […]
[…] igual que sugiere Ade Barkah (la persona que ha descubierto este incidente) en este post de su blog personal, hemos creado un nuevo documento de texto, hemos insertado una imagen, hemos compartido dicho […]
Hmm. thanks for sharing. I’ve been using Google Docs for a year and hadn’t thought about security issues until now.
[…] the following three security holes came to the attention of Ade Barkah and several other users. On his blog, Barkah goes in to further detail, but in a […]
wow, OP is a litle over reacting-
1.of course i would use google docs as my primary method of sharing my multimillion dollar blueprint that wasn’t patented yet with the rest of the world on a public domain..
@Spirul
Uve been giving your data to a megacorp for a year and not worried about its security?
It’s feb 2011 and the image issue still occurs.
I am using it to my advantage on my wiki by making How To’s with screen shots in google docs and then copy/paste the entire doc into the wiki edit box and the images are visible even though the doc was never shared.
[…] a hosting provider’s company. Add to this that many widely used cloud services, like DropBox and Google Apps, have experienced security issues within the services themselves that compromises security of […]
If you worry about the security of the documents you stored in Google Docs, try EncGoo. It is an iPad application that encrypts documents before uploading it to Google Docs. You document is protected by an AES-256 key!
[…] personal experience, I would say that despite its faults (Formatting issues, Security concerns, Crash-causing bugs and some horrendous misalignment issues), Google Docs is one of the most […]