Google Denies Severity Of Google Docs Flaw

A security consultant has claimed that weaknesses in Google Docs could allow users to view another users’ shared documents even after their access rights have been taken away. Google has said it is investigating, but does not believe this is a serious threat to users.

In his blog, security consultant Ade Barkah published information about three privacy issues in Google Docs tied to the system’s content sharing controls. The most serious of the issues is not described in detail, although he contends that it could be abused in certain circumstances to allow someone to access a document even after that person’s access rights have been taken away.

Barkah demonstrated that embedded images in documents can still be accessed by people with whom the documents had been shared even if that document is no longer shared, or even after it has been deleted.

“When you embed (‘insert’) an image from your computer into a Google Document, that image is ‘uploaded’ onto Google servers and assigned an ID,” Barkah wrote. “From then on, the image is accessible via a URL.”
In addition, when a document contains a Docs diagram, it is possible for people with whom that document was shared as a collaborator to see the diagram even if it was redacted.

“In Google Docs, a diagram is a set of instructions that’s rasterised into an image (in PNG format),” he wrote. “Each time you modify a diagram, a new raster image is created, but the old versions remain accessible via a URL, in the format: docs.google.com/drawings/imageoeid=1234&…&rev=23&ac=1. To view any previous version, just change the ‘rev=’ number above.”

In fairness to Google, the examples involve documents that have already been shared, which assumes a certain degree of trust.

“We take the security of our users’ information very seriously and are investigating the concerns raised by the researcher,” a Google spokesperson said. “Based on the information we’ve received, we do not believe there are significant security issues with Google Docs. We will share more information as soon as it’s available.”