Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Security Concerns Raised For Google Docs

Posted by Soulskill on from the it's-not-a-bug-it's-a-feature dept.

TechCrunch is running a story about three possible security issues with Google Docs recently uncovered by researcher Ade Barkah. It turns out that an image embedded into a protected document is given a URL which is not protected, allowing anyone who knows or guesses it to see the image regardless of permissions or even the existence of the document. Barkah also pointed out that once you've shared a document with another person, that person can see diagram revisions from any point before they gained access, forcing you to create a new document if you need to redact something. The last issue, the mechanics of which he disclosed only to Google, affects the document-sharing invitation forwarding system, which can allow somebody access to your documents after you've removed their permissions. Google made a blog post to respond to these concerns, saying that they "do not pose a significant security risk," but are being investigated. We previously discussed a sharing bug in Google Docs that was fixed earlier this month.

16 of 92 comments (clear)

  1. Access after you revoked permissions = a copy by KiloByte · · Score: 5, Insightful

    Eh, retaining access to a copy of the document after the original author revoked permission is certainly not a security issue -- at least, not unless you believe in DRM.

    Being able to read future versions, like a reverse of the first bug of the article, would be bad, but the article doesn't suggest this is the case.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Access after you revoked permissions = a copy by ssintercept · · Score: 3, Informative

      Does anyone know how to patch reality?

      DRUGS
      lots and lots of delicious mind-bending drugs!

      --
      "You can kill the revolutionary, but you can't kill the revolution."-- Fred Hampton
    2. Re:Access after you revoked permissions = a copy by Curunir_wolf · · Score: 4, Insightful

      Sorry, but those are the breaks. Unless, as you say, you're going to DRM everything, you're not going to be able to control copies of anything published

      This is nonsense. Publishers have control, it's called copyright.

      If the viewer didn't go to the effort to ensure they made a copy, revokation of the permission should make it impossible for them to get a new copy of the old text.

      Is this meant to be a troll? copyright has nothing to do with permission to access. If you give someone a copy of something, copyright means they are not allowed to copy it, not that you can take away their copy at a later time.

      I mean, what are you trying to say?

      --
      "Somebody has to do something. It's just incredibly pathetic it has to be us."
      --- Jerry Garcia
  2. It's nothing, Shroedinger's logarithm beats that by Enleth · · Score: 5, Interesting

    Open a new spreadsheet, type in those formulas:

    A1: "=log10(1000)", format for two decimals - equals 3.00
    A2: "=trunc(3.00)", format for two decimals - equals 3.00
    A3: "=trunc(log10(1000))", format for two decimals - equals... *drumbeat* 2.00, that is, TWO POINT OH OH. Uh, oh.

    I decided to call it "Schroedinger's logarithm".

    A report on the Google Docs' technical support forum went unanswered...

    --
    This is Slashdot. Common sense is futile. You will be modded down.
  3. Re:It's nothing, Shroedinger's logarithm beats tha by TheRealMindChild · · Score: 4, Informative

    While I agree, this is a bug, I think underneath it is the 60 year old "representing floats in binary" issue. Chances are, underneath, log10(1000) ends up being 2.999999999999999, but with some workarounds/fixes that translate the result to 3.00. But in the case of trunc(log10(1000)), trunc is operating on 2.999999999999 before said workaround/fix kicks in, so it ends up being 2.00.

    Of course, this is just speculation.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  4. Google's Right by John+Hasler · · Score: 5, Insightful

    Since nothing on the Web is secure anyway, what's the problem? If it's an important secret keep it off the Web.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    1. Re:Google's Right by theshowmecanuck · · Score: 4, Insightful

      I was thinking exactly the same thing. You put your stuff on somebody else's machine, in an environment that is by design exposed to the wild, wild Internet, and better yet the server URIs are advertised to the world because it is your hosts business model to advertise where the documents are (who could use them if they couldn't find them)... If people want to trust others with their important documents in that sort of a model, then it is business Darwinianism if critical documentation are leaked. And another thing, who knows if their personnel look through peoples documents for a laugh or just being nosey. Heck, government employees risk getting fired looking up personal data of prominent people when they run for office. If government employees will do that, why wouldn't people in data centres.

      Personally, I don't trust any of my documents to others to take care of. I like my stuff behind firewalls and not sitting directly on the on ramp to the Internet (had to get a car metaphor in somewhere). Mind you, I think this type of model will continue at least for a while if not forever, no matter what happens. People growing up now-a-days don't think as much about what personal information they post on the Internet, why would they care if their personal documents are managed by someone else that they don't know (other than a corporate logo).

      --
      -- I ignore anonymous replies to my comments and postings.
    2. Re:Google's Right by tassii · · Score: 4, Insightful

      Then your corporation is an idiot. Nothing on the web is private. At the very least, Google retains the rights to those documents. Anyone who puts their trust in corporate documents to a third party application gets everything they deserve.

      --
      "I drank what?" - Socrates
  5. Re:It's nothing, Shroedinger's logarithm beats tha by John+Hasler · · Score: 4, Funny

    You sure that isn't just an Excel compatibility feature?

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  6. Re:It's nothing, Shroedinger's logarithm beats tha by Enleth · · Score: 3, Insightful

    Just about any other application I checked this with (I recall trying OOo, Excel, KSpread, Gnumeric, python, Matlab [which purposely does not do any floating point error correction when not asked to] and Maxima) got it right, so I'm not really convinced that it's something common and hard to avoid. Well, maybe it is common if not corrected for, but definitely not hard to avoid and unheard of. Besides, other multiplies of 10 up to 10E+20 were fine, as were logarithms for several different bases and sets of values.

    --
    This is Slashdot. Common sense is futile. You will be modded down.
  7. Re:It's nothing, Shroedinger's logarithm beats tha by morgan_greywolf · · Score: 3, Informative

    Probably right. In 32-bit Python:

    math.log(1000,10)
    2.9999999999999996

    However, carrying out his example on OpenOffice.org Calc 2.2 results in 3.00. So while it's likely a binary representation problem, it's also probably a bug.

    --
    My blog
  8. Google's own position on this by adrianmsmith · · Score: 4, Informative

    http://googledocs.blogspot.com/2009/03/just-to-clarify.html

    1. Re:Google's own position on this by Zarel · · Score: 3, Funny

      ...that's the third link in the summary.

      Oh! We're attempting to get people to RTFA by reposting it in the commentary and pretending it isn't TFA, are we? ;)

      --
      Want a high quality FOSS RTS game? Try Warzone 2100!
  9. Business Security by StormReaver · · Score: 3, Insightful

    If anyone hosts anything more important than their grocery list on someone else's servers, then they deserve the inevitable security breaches that will follow. The entire nature of Google Docs (hosting your data on someone else's servers) is a security concern.

    The only way Google Docs isn't the dumbest thing your business can do is if your business uses the software on your own LAN/VPN, and hosts your own data on the same.

    There should be a Darwin Award for businesses, if there isn't already.

    1. Re:Business Security by TheRaven64 · · Score: 4, Interesting

      I did some consulting a while ago for a company which had a senior manager (I can't remember his actual title; the boss / owner's second in command) who kept the customer database on a USB flash drive. This was stored as an Access database and was completely secure, because it was always carried with him and only inserted into a computer when someone needed to access it.

      Completely secure, of course, until he decided to go into business by himself, and emailed all of the company's customers with a quote for their business at a slightly lower rate than they were currently paying, and some quite unprofessional comments about his former employer.

      You can't have absolute security, but it seems a lot of people are very bad at working out exactly how much security they really do have. In many cases, it's a lot less than they think.

      --
      I am TheRaven on Soylent News
  10. I really want to see password protected documents by AbRASiON · · Score: 4, Insightful

    Yeah I know you need my google account to compromise the document in the first place but that's only one level of security, considering some of the things I have on google docs a second level really would be appreciated.