Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Security Concerns Raised For Google Docs

Posted by Soulskill on from the it's-not-a-bug-it's-a-feature dept.

TechCrunch is running a story about three possible security issues with Google Docs recently uncovered by researcher Ade Barkah. It turns out that an image embedded into a protected document is given a URL which is not protected, allowing anyone who knows or guesses it to see the image regardless of permissions or even the existence of the document. Barkah also pointed out that once you've shared a document with another person, that person can see diagram revisions from any point before they gained access, forcing you to create a new document if you need to redact something. The last issue, the mechanics of which he disclosed only to Google, affects the document-sharing invitation forwarding system, which can allow somebody access to your documents after you've removed their permissions. Google made a blog post to respond to these concerns, saying that they "do not pose a significant security risk," but are being investigated. We previously discussed a sharing bug in Google Docs that was fixed earlier this month.

6 of 92 comments (clear)

  1. Access after you revoked permissions = a copy by KiloByte · · Score: 5, Insightful

    Eh, retaining access to a copy of the document after the original author revoked permission is certainly not a security issue -- at least, not unless you believe in DRM.

    Being able to read future versions, like a reverse of the first bug of the article, would be bad, but the article doesn't suggest this is the case.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Access after you revoked permissions = a copy by Curunir_wolf · · Score: 4, Insightful

      Sorry, but those are the breaks. Unless, as you say, you're going to DRM everything, you're not going to be able to control copies of anything published

      This is nonsense. Publishers have control, it's called copyright.

      If the viewer didn't go to the effort to ensure they made a copy, revokation of the permission should make it impossible for them to get a new copy of the old text.

      Is this meant to be a troll? copyright has nothing to do with permission to access. If you give someone a copy of something, copyright means they are not allowed to copy it, not that you can take away their copy at a later time.

      I mean, what are you trying to say?

      --
      "Somebody has to do something. It's just incredibly pathetic it has to be us."
      --- Jerry Garcia
  2. Google's Right by John+Hasler · · Score: 5, Insightful

    Since nothing on the Web is secure anyway, what's the problem? If it's an important secret keep it off the Web.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    1. Re:Google's Right by theshowmecanuck · · Score: 4, Insightful

      I was thinking exactly the same thing. You put your stuff on somebody else's machine, in an environment that is by design exposed to the wild, wild Internet, and better yet the server URIs are advertised to the world because it is your hosts business model to advertise where the documents are (who could use them if they couldn't find them)... If people want to trust others with their important documents in that sort of a model, then it is business Darwinianism if critical documentation are leaked. And another thing, who knows if their personnel look through peoples documents for a laugh or just being nosey. Heck, government employees risk getting fired looking up personal data of prominent people when they run for office. If government employees will do that, why wouldn't people in data centres.

      Personally, I don't trust any of my documents to others to take care of. I like my stuff behind firewalls and not sitting directly on the on ramp to the Internet (had to get a car metaphor in somewhere). Mind you, I think this type of model will continue at least for a while if not forever, no matter what happens. People growing up now-a-days don't think as much about what personal information they post on the Internet, why would they care if their personal documents are managed by someone else that they don't know (other than a corporate logo).

      --
      -- I ignore anonymous replies to my comments and postings.
    2. Re:Google's Right by tassii · · Score: 4, Insightful

      Then your corporation is an idiot. Nothing on the web is private. At the very least, Google retains the rights to those documents. Anyone who puts their trust in corporate documents to a third party application gets everything they deserve.

      --
      "I drank what?" - Socrates
  3. I really want to see password protected documents by AbRASiON · · Score: 4, Insightful

    Yeah I know you need my google account to compromise the document in the first place but that's only one level of security, considering some of the things I have on google docs a second level really would be appreciated.