Google Drive security hole leaks users' files

Filed Under: Data loss, Featured, Google, Privacy, Security threats, Vulnerability

Raincloud and Google Drive composite. Cloud image courtesy of ShutterstockWe often repeat this advice from former Naked Security writer Graham Cluley: for a better understanding of how you should approach security in the cloud, simply replace all instances of the words in the cloud with the words on somebody else's computer.

Google just handed us another opportunity to do just that.

It turns out that Google Drive has been incontinent, dribbling out private data courtesy of a security hole concerning files with embedded URLs.

When someone clicks an embedded hyperlink, they get sent to the website of a third-party website owner.

Unfortunately, the flaw was also letting the website owner - an unauthorized party - view header information, potentially including the original document that included the URL.

Google has now patched the hole, which it got wind of via its Vulnerability Reward Program.

Google downplayed the flaw last week in its blog posting, saying that the flaw only affected a "small subset" of file types in Google Drive.

It said that the glitch was relevant only if all four of these conditions apply:

  • The file was uploaded to Google Drive
  • The file was not converted to Docs, Sheets, or Slides (i.e. remained in its original format such as .pdf, .docx, etc.)
  • The owner changed sharing settings so that the document was available to "Anyone with the link", and
  • The file contained hyperlinks to third-party HTTPS websites in its content.

Google says that if all those conditions applied, a user who clicked on the embedded hyperlink could have inadvertently sent header information to the administrator of the third-party site, allowing him or her to potentially see the URL of the original document that linked to his or her site.

The glitch is being compared to the Dropbox hyperlink disclosure vulnerability, in which clickable URLs were leading to folders containing all sorts of stuff stored in Dropbox and Box that you wouldn't want disclosed: tax returns, mortgage applications, business plans and banking data, for example.

Post-fix, Google says that we can go ahead and share documents with hyperlinks to third-party HTTPS websites, all nice 'n safe 'n secure, with no original document URLs dribbling out.

If you've got previously shared documents floating around out there that match those four criteria above, Google says you can generate a new, safe sharing link by following these steps:

  1. Create a copy of the document, via File > "Make a copy..."
  2. Share the copy of the document with particular people or via a new shareable link, via the "Share" button
  3. Delete the original document

Of course, there's no reason to trust Google's "go ahead and share! It's really safe now!" promise, given that the only way to completely keep other people out of your business when in the cloud on somebody else's computer is to encrypt your files before they leave your system, using keys that you control.

Sophos can help with that - SafeGuard Encryption for Cloud Storage and Sophos Mobile Encryption, if you want to lock down your business on Dropbox,, Egnyte and others directly from your PC and mobile device.

Image of raincloud courtesy of Shutterstock.

, , ,

You might like

2 Responses to Google Drive security hole leaks users' files

  1. Anonymous · 453 days ago

    The title of this article is very misleading. It should read "Google Drive security hole makes semi-public files available to unintended recipients" or something similar. The title implies the entirety of my Google Drive account will become accessible to the world, including both my unshared and public files.

    • Phil Hall · 453 days ago

      Agreed. The issue here is people thinking that a long URL keeps their document safe.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.