Security consultant Ade Barkah checked in with us to alert us to a couple of serious security issues associated to Google Docs, the web-based office software from the world’s most famous search engine company, giving a whole new meaning to its mission to make the world’s information universally accessible. On his blog on software, infrastructure and security, Barkah outlines no less than three issues that he discovered while investigating some potential security lapses.
Since he did the right thing by contacting Google about his findings (only to receive no response after five business days), we’re hoping that this article will help trigger the company’s engineering team to plug the holes asap. In case you missed it, earlier this month we uncovered some major privacy blunders going on with Google Docs, which the company later confirmed and fixed (we pinged them for this too).
Update: Google has published its stance on these issues on the official Docs blog (they don’t believe there’s a significant security risk)
So what’s up?
First, apparently when you embed an image in a protected document it gets uploaded to a Google server where people you’ve not given access to the file can still see and download it, even after you’ve deleted the document in question. I’ve uploaded an image to a protected file in my account for testing, and deleted the document right after. If you see the image embedded on top of this post, or click this link to find you can still get to the image, that means the above checks out.
I concur with Barkah, who writes:
If you embed an image into a protected document, you’d expect the image to be protected too. If you delete a document, you’d expect any embedded resources to be deleted also. The end result is a potential privacy leak.
Images can potentially contain confidential information, both personally and professionally, and it basically only takes finding out what the dedicated URL for an image is for anyone to access it freely, which is a massive privacy blunder.
Second, it appears that if you share a document carrying a diagram – a feature Google introduced yesterday – with anyone, this person will be able to view any version of any diagram that has been embedded in the document. That basically means that if you create a diagram with sensitive information and later decide to strip some of it away before sharing the document in view-only mode, the person you share it with will be able to revert to previously saved versions simply by tweaking the URL a bit, uncovering what you thought you were still hiding from him or her.
The third issue Barkah lays out is such a serious bug that he doesn’t go into the details of the mechanics behind it yet, pending further research and feedback from Google. The security specialist claims that if you take away the permission for another person to access your documents, they could in some cases still be able to get to them later without your knowledge.
If that last claim turns out to be valid, I’m leaving Google Docs and never coming back.
Update: A Google spokesperson responds:
We take the security of our users’ information very seriously and are investigating the concerns raised by the researcher. Based on the information we’ve received, we do not believe there are significant security issues with Google Docs. We will share more information as soon as it’s available.