Google Drive security hole leaks users’ files

Google Drive security hole leaks users' files

Raincloud and Google Drive composite. Cloud image courtesy of ShutterstockWe often repeat this advice from former Naked Security writer Graham Cluley: for a better understanding of how you should approach security in the cloud, simply replace all instances of the words in the cloud with the words on somebody else’s computer.

Google just handed us another opportunity to do just that.

It turns out that Google Drive has been incontinent, dribbling out private data courtesy of a security hole concerning files with embedded URLs.

When someone clicks an embedded hyperlink, they get sent to the website of a third-party website owner.

Unfortunately, the flaw was also letting the website owner – an unauthorized party – view header information, potentially including the original document that included the URL.

Google has now patched the hole, which it got wind of via its Vulnerability Reward Program.

Google downplayed the flaw last week in its blog posting, saying that the flaw only affected a “small subset” of file types in Google Drive.

It said that the glitch was relevant only if all four of these conditions apply:

  • The file was uploaded to Google Drive
  • The file was not converted to Docs, Sheets, or Slides (i.e. remained in its original format such as .pdf, .docx, etc.)
  • The owner changed sharing settings so that the document was available to “Anyone with the link”, and
  • The file contained hyperlinks to third-party HTTPS websites in its content.

Google says that if all those conditions applied, a user who clicked on the embedded hyperlink could have inadvertently sent header information to the administrator of the third-party site, allowing him or her to potentially see the URL of the original document that linked to his or her site.

The glitch is being compared to the Dropbox hyperlink disclosure vulnerability, in which clickable URLs were leading to folders containing all sorts of stuff stored in Dropbox and Box that you wouldn’t want disclosed: tax returns, mortgage applications, business plans and banking data, for example.

Post-fix, Google says that we can go ahead and share documents with hyperlinks to third-party HTTPS websites, all nice ‘n safe ‘n secure, with no original document URLs dribbling out.

If you’ve got previously shared documents floating around out there that match those four criteria above, Google says you can generate a new, safe sharing link by following these steps:

  1. Create a copy of the document, via File > “Make a copy…”
  2. Share the copy of the document with particular people or via a new shareable link, via the “Share” button
  3. Delete the original document

Of course, there’s no reason to trust Google’s “go ahead and share! It’s really safe now!” promise, given that the only way to completely keep other people out of your business when in the cloud on somebody else’s computer is to encrypt your files before they leave your system, using keys that you control.

Sophos can help with that – SafeGuard Encryption for Cloud Storage and Sophos Mobile Encryption, if you want to lock down your business on Dropbox, Box.com, Egnyte and others directly from your PC and mobile device.

Image of raincloud courtesy of Shutterstock.