Google Drive Found Leaking Private Data — Another Warning About Shared Links

A disturbing privacy problem has been discovered in Google Drive which could have resulted in sensitive information being accessed by unauthorised parties.


8 July 2014

dataleak

A disturbing privacy problem has been discovered in Google Drive which could have resulted in sensitive personal or corporate information stored on the cloud service being accessed by unauthorised parties.

The security hole, which has now been patched by Google, underlines the unexpected dangers which can arise from allowing "anyone who has the link" to access your private data without further authentication.

How It Works

In a nutshell, the risk existed if you stored files that included a clickable URL on your cloud file sharing service.

If someone (you, or someone you have shared permissions with to access the file) opens the file on the Web-based service and clicks on the embedded hyperlink, then the owner of the third-party website being linked to could receive a referrer URL.

And, if they accessed that URL, they could — potentially — access your sensitive information.

To make this easier to understand, here's a not entirely implausible scenario.

Company X is considering acquiring Company Z, but hasn't decided how much it should offer for the company it is planning to take over.

A PDF containing various proposals is stored on Google Drive, and the link to the file is shared with various senior parties inside Company X.

However, the file also contains an embedded clickable link to Company Z's website. If any of the authorised parties accesses the file then clicks on the link, they may inadvertently share the secret URL to the sensitive information with the administrators of the Z website.

If the flaw sounds familiar, then give yourself a pat on the back: It bears startling similarities to Dropbox vulnerabilities discovered earlier this year by Intralinks. It particularly resembles a hyperlink disclosure vulnerability that caused the exposure of confidential tax returns, bank records, mortgage applications, blueprints, and business plans. Dropbox acknowledged the issue and fixed the problem.

Google Explains Security Hole

In a blog post about how it has addressed the security hole, Google has gone to pains to explain that the security issue only affected a "small subset of file types" in Google Drive:

This issue is only relevant if all of the following apply:

  • The file was uploaded to Google Drive
  • The file was not converted to Docs, Sheets, or Slides (i.e., remained in its original format such as .pdf, .docx, etc.)
  • The owner changed sharing settings so that the document was available to “anyone with the link”
  • The file contained hyperlinks to third-party HTTPS websites in its content

From now on, Google says, documents newly shared on Google Drive with links to third-party HTTPS websites, will no longer relay the original document's URL.

Ensure File Protection

You would be wise, however, to delete any previously shared Google Drive documents that could be affected by the flaw, after creating a copy that can be shared afresh, if required.

It shouldn't be forgotten that if users had been required to authenticate themselves in order to access a shared link rather than an "anyone who has the link" free-for-all, this security hole wouldn't have existed.

The rise of “consumerization” means that more and more office workers may be using consumer-grade systems for sharing sensitive business data. These consumer services don’t provide the controls and policy enforcement that would help your IT security department sleep more soundly in their beds at night.



Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.