Security consultant Ade Barkah checked in with us to alert us to a couple of serious security issues associated to Google Docs, the web-based office software from the world’s most famous search engine company, giving a whole new meaning to its mission to make the world’s information universally accessible. On his blog on software, infrastructure and security, Barkah outlines no less than three issues that he discovered while investigating some potential security lapses.
Since he did the right thing by contacting Google about his findings (only to receive no response after five business days), we’re hoping that this article will help trigger the company’s engineering team to plug the holes asap. In case you missed it, earlier this month we uncovered some major privacy blunders going on with Google Docs, which the company later confirmed and fixed (we pinged them for this too).
Update: Google has published its stance on these issues on the official Docs blog (they don’t believe there’s a significant security risk)
So what’s up?
First, apparently when you embed an image in a protected document it gets uploaded to a Google server where people you’ve not given access to the file can still see and download it, even after you’ve deleted the document in question. I’ve uploaded an image to a protected file in my account for testing, and deleted the document right after. If you see the image embedded on top of this post, or click this link to find you can still get to the image, that means the above checks out.
I concur with Barkah, who writes:
If you embed an image into a protected document, you’d expect the image to be protected too. If you delete a document, you’d expect any embedded resources to be deleted also. The end result is a potential privacy leak.
Images can potentially contain confidential information, both personally and professionally, and it basically only takes finding out what the dedicated URL for an image is for anyone to access it freely, which is a massive privacy blunder.
Second, it appears that if you share a document carrying a diagram – a feature Google introduced yesterday – with anyone, this person will be able to view any version of any diagram that has been embedded in the document. That basically means that if you create a diagram with sensitive information and later decide to strip some of it away before sharing the document in view-only mode, the person you share it with will be able to revert to previously saved versions simply by tweaking the URL a bit, uncovering what you thought you were still hiding from him or her.
The third issue Barkah lays out is such a serious bug that he doesn’t go into the details of the mechanics behind it yet, pending further research and feedback from Google. The security specialist claims that if you take away the permission for another person to access your documents, they could in some cases still be able to get to them later without your knowledge.
If that last claim turns out to be valid, I’m leaving Google Docs and never coming back.
Update: A Google spokesperson responds:
We take the security of our users’ information very seriously and are investigating the concerns raised by the researcher. Based on the information we’ve received, we do not believe there are significant security issues with Google Docs. We will share more information as soon as it’s available.
Great, just great. Storms a brewin’ in the cloud.
Sounds like a storm in a tea cup.
If you want your files to be secure in the first place, just don’t share them on the cloud.
What was this thing called that helped you secure your data? Encryption?
I am obviously biased: cGeep.com
Remember, anonymity on the internet leads to crap like http://www.f2bbs.com
That’s why Google Products are still in Beta.
Yeah, that makes it ok then.
It does, no? Doesn’t beta imply “This thing is buggy. Use it at your own risk”.
Maybe Robin Wauters does’t understand the meaning of ‘beta’.
Again a Google LoopHole found. If you ask a good hacker they will tell you dozens of LoopHoles and flaws related to Google..
What makes you think that a dozen loop holes will be found? Because one bug was found a few weeks back?
BTW, You forgot to add a link back to your site as usual in your post?
Being in Beta doesn’t not excuse a program’s security vulnerabilities. Ask the Safari for Windows team.
An excuse not to QA?
No. Beta testing is an integral PART of the QA process, not an alternative to it. This is not news. If GoogleDocs was already bullet-proof, it wouldn’t need a beta.
Not Exactly True.
Beta products are supposed to have some level of functionality including security. The purpose of the beta test is to ensure that it works the way it was designed to under various real world situations. When you have issues like google docs where there is a obvious design flaw (i.e. linking directly to images w/o protection) and it is being marketed as a safe alternative to MS word/Openoffice that’s a big problem. When developers design something that will work with private data, a design process that focuses on privacy should be implemented throughout the development process. Google is no longer a small player with limited resources. If you are doing to open a product/service to the public it should be ready for public use. Beta is not a dumping ground for software. In addition under google’s interpretation of the beta period, everything’s in beta – all of time. The problem is when you’re marketing this stuff to businesses and IT contractors and telling them that it is safe enough to move their data onto (when you should know that it is not) for collaboration. Doesn’t anyone practice QC (quality control, continual testing) after launch anymore? There’s a point where mature companies should not have all of these problems anymore (this is not an OS, for all of google’s talk they operate a closed house)
This is a QA, Trust (can large customers trust your service), and marketing issue. Not just privacy
From the view point of an former IT admin. (Ok, I admit I would have never put my private data on the cloud)
Amazing. If the last one is true it is a big problem.
Just use twidox.com instead
The first two have existed for a long time as documents are essentially HTML and there’s no real way to secure an HTML document. Images are not contained in the file so the authentication on each document does not apply to the other files that go to making up the entire doc.
Other websites do check for proper authentication on images… porn sites do it all the time.
Google could easily perform the same check.
Also that images are still accessible even after the document has been deleted is not good.
The session cookie referencing the authenticated user should be present in the headers when the image is fetched, else no image is being returned.
This implies that they are not covering the image resource fetching by the same mechanism as the document resource fetching. Naughty.
Other than the last issue, which, if confirmed, is a major security risk, these sounds like a storm in a tea cup.
Regarding the images – how the hell would anyone know the URL of an image you uploaded and attached to one of your docs??? The only way would be to hack the document.
The chart versioning thing – since it’s been up only since yesterday, give them the benefit of the doubt. QA team did a poor job, guess there was no test case for checking security on older versions.
And the third one – guess we’ll have to hear more on that.
It’s not just a QA screw-up.
It’s a developer screw-up, a management screw-up, and a whole philosophical screw-up (no value for privacy built in at the beginning).
the philosophy is fine for building public apps, but if google expects us to trust them with private info (hello GMAIL!!!), there are serious changes that need to be made at a management level.
A friend pointed out to me years ago that due to Microsoft screwing up security so badly, they learned a lesson. Since then, Microsoft has become an industry leader in security modeling and testing. This focus on Trustworthy Computing (jargon to search for) will end up becoming a competitive advantage. We could be turning that corner soon.
Facebook support staff apparently has read access to my private Facebook data; Facebook’s UI is criminally had to lock down security on. Google Docs and Gmail continue to have security issues, yet companies pay Google for this insecure, beta software. Where are Facebook and Google’s security models? What are their security testing procedures? Do they have third party introsion audits? Do they have audits to verify proper internal PII security?
Apologies for misspellings. This box is very small and I see no edit link – “hard to lock down”, “third party intrusion audits”
Nonsense. Microsoft is still a fantastic exemplar of how NOT to do security. Users have to choose between unusable intrusive permissions alerts and ridiculously lax security.
Look to Apple for a good example of how to do it right.
“Look to Apple for a good example of how to do it right.”
Having a user base smaller than the margin of error for security does not a good security philosophy make.
Want to see how goddamn bad Apple is at security? Look no further than Safari for Windows, a laughable security trainwreck beyond comparison for a modern web browser.
Exactly! You spare me a comment.
Security through obscurity is not security at all. The image url should be protected like the secured document and the image should be deleted when the document is deleted — end of story.
Good point!
wow
Everybody makes mistakes.
The scandal to me is that Google does not seem to be responsive when somebody who has discovered a security/privacy issue approaches them.
That is a serious (mis-)management issue.
Google is not honoring its promises!
the result of initiative Project10tothe100.com had been promised for 27 January 2009. To the surprise of netsurfers the company failed to fulfil its promise. On that date there was a note by postponing the result to 26 March. Today, 26 March the company Google again not honored with its promise to netsurfers that are eager to know will have some result as announced and friendly initiative. And furthermore not inform new date. Promise is debt and Google has not kept its promise.
I’ve been watching this process and I know that people are still chugging on it. A huge number of suggestions came in, so it takes time to get through them all. Thanks for the ping, but I know that people are actively working on this.
I never understand all this nonsense about security. Anyone are free to read anything I write anywhere at any time. End of story. The type of person that uses Google docs, don’t care about security.
Exactly. People who care about document security store them locally and PGP-encrypt them.
My assumption is that ANYTHING I put on the internet can be read by anyone at anytime.
Nobody’s perfect. That would probably be a big mistake if that thing is true.
If this is the case with Google Docs, would similar exploits be usable in other cloud-based apps?
Simply put, Google Apps are a fun tool. Not really intended for business. Don’t put your secure/important files within Google tools.
Google, you should stick to what your best at! Isn’t it Google’s Philosophy as part of their “10 Things” shown here… http://www.goog.../tenthings.html
Look at the 2nd “Thing” Google does search.
Use at your own risk!
I have used HyperOffice.com and found it designed for business. It works great!
A “mistake” like a Google doc encountering a minor display issue when it’s being edited is something people can easily live with during a Beta.
Accidentally sharing info? Not quite so easy to stomach.
Business customers we sell to directly are often not as fanatical about understanding Smartsheet’s approach to security as when an IT group is involved in the selection decision.
Does this mean that a marketing manager, sales vp, or ops head care less about security? Absolutely not! Understanding a SaaS provider’s security model and track record often flies under the radar in someone’s – until something very bad happens.
Good luck explaining to a colleague or client they shouldn’t have seen something because the product you suggested to use for the project was ‘in Beta’ – your audience will simply not care.
“If that last claim turns out to be valid, I’m leaving Google Docs and never coming back.”
You’re putting sensitive documents up in the cloud? Well, see, there’s your first problem. Maybe mission critical documents belong in places under your control. Docs is fine, but the saying stays true; if I put something, anything, out on the wire I assume that it’s going to be out there forever and anyone can read it.
Never uploaded any sensitive documents on Google Docs, no, but that’s not the point.
Of course, meanwhile I’m still happily using Gmail … hmm
Actually, that IS the point. If it’s sensitive, don’t put it in the cloud.
So also never post sensitive info on Gmail? What’s the point of email without sensitive info (surely sometimes you would classify some of your info as sensitive that you send to friends/ work colleagues).
I never understand why businesses use Gmail.
Hmm.. just hope they’ll do something about it fast.
This site’s current Alltel ad has a “close” button that actually scrolls to another ad segment, then when you click the “close” button there it takes you to Alltel’s website.
I know you can mouse away from the ad, but “close” is supposed to mean “close,” no?
As long as you never start advertising like Slate.com, I guess I shouldn’t complain.
Google never move there products from BETA……
good to know google strict hiring practices really get the best engineers
I’d expect more from a company like Google. Clearly Google doesn’t design their services with security in mind. As a highly visible leader in the space and with the huge installed base of Google docs users, you can bet they are a huge target for hackers. It’s only a matter of time before more holes are exploited.
Obviously the company that has been through the wringer on this is Microsoft, who now really understands security and at least attempts to design security into everything they do.
I don’t embed images or diagrams in my google docs but the last security loophole is the most troubling. How do we get confirmation as to whether it exists or not? @smokejumper
Great post!
Thanks,
Ben Fryxell
http://macmaniapodcast.com
Thats a huge leak in the cloud. I’m surprised Google didn’t catch this…
And that’s why cloud computing will never be what it’s being hyped to be.
Any company that is serious about protecting it’s proprietary information will never use free, open-source apps like Google Docs.
The “cloud” is not the deathknell of Microsoft and others that cloud and open-source advocates say it is.
Google Docs is open source and is only ‘free’ in the gratis sense — not the libre sense.
Furthermore, the “cloud” and open source advocacy have little to do with each other.
Please stop spreading FUD.
Good point.
Gmail is not safe either. Every time I open my Gmail there are ads that’s 100% related to the content of the email sitting to the right….. I dont know where google is heading with this
I find it funny and amazing that Google is able to charge for software labeled as “beta”.
Google Beta till 2099…
Its all bonus round advertisement for the product anyway. Watch the stock today. Like the adult industry where any news good or bad just makes for extra traffic/sales.
Just did a google image search for this:
http://images.g...p;um=1&sa=2
Looks a lot like what I would find when I search up my own name. I did a video about this a while back. http://www.yout...com/leaderscare
Google not responding to it’s e-mails? What a surprise, I’m surprised they didn’t reply back with a computer generated e-mail with a big “F*** you.” as an attachment. And God forbid Google implemented an actual customer support center, I think pigs will begin to fly before than happens.
Tell me about it. I’ve long been an AdWords client and since I’m not a tier 1 that spends $500,000+/month I get the lamest emails when I send a support request.
Best thing anyone can do is offer an alternative:
http://www.zoho.com/
Ah, if Google only publicly agreed with DNA and Greg and endorsed statements like “It’s just beta” or “Google Apps are a fun tool – not really intended for business” then it would just warrant a shrug of the shoulders. Granted, it’s still a bug. But a bug, in freebie, beta, “fun” software – .
But Google really sells this stuff. It charges money to enterprises for Premier Edition (see product comparison). There is a team (albeit a relatively small one) dedicated to enterprise applications. They tell people this is appropriate for an enterprise to use despite the “beta” tag on it.
So take your pick Google: you can have an enterprise development team and charge real money for GAPE or you can provide a fun, free, buggy, kinda secure (just through obscure URLs) web app. But not both.
(more on my blog at http://knowledg...and-fancy-free/)
I’m sorry Craig, but what is GAPE? I’m a newbie.
Makes me seriously concerned about Google Health as a secure product for patient records.
I really don’t know why Google, Facebook and other sites with such big budgets can’t just concentrate on making their sites more secure. I think if it continues then I have to give up my Google products and I think that if it continues people will switch.
Mohammad Afaq
Free Website Traffic
I agree with you Mohammad. It’s like eBay’s administration ignoring the frustrations of their sellers. Of course, most of them left and switched over to another auction site. This is just another case of history repeating itself senselessly.
The problem with most major Corporations such as Google is they make the excuse of, “I didn’t know” whenever a repetitive problem like this occurs. Privacy on the internet has been a large issue since 1997 as I remember it. When news about bugs like Malware and Phishing bots rolled out, the same excuse was, “I didn’t know” and “We’ll investigate this” were repetitively spewed out to calm the noise when in fact we know who is responsible. I think the lack of accountability plays a huge part with any Corporation regarding any issue and most just don’t want to admit they’re wrong until someone outlines a report of “abuse”. Great article!
Robin, I fail to see the security problem, and why this is a story.
I’m at a cutting-edge private equity/VC firm, and we regularly use Google docs to manage files containing embedded images of things such as passports, social security data, NDA’s, term sheets, and so on, throughout the due diligence process, some of the docs in multiple revisions. I can’t imagine anyone here or any of our clients for that matter having a problem with this.
Just kidding. Cloud computing is going to be the next big thing it is sometimes said. Maybe if challenged companies such as Google can’t get these kinds of things right, other companies can. On the other hand, maybe if Google can’t get the basics right, no other company can.
Slowhand, you’re a complete idiot.
The main implication of the story, is that Google has spread itself too thin. Has Google become a firm obsessed with growth, which simply ignores the complaints of the likes of “little people” such as security consultants reporting grave product flaws?
I’m not sure what product of Google is not in Beta. The convention of Beta designation is so overly abused, that it has lost all genuine meaning. The key difference is whether anything has been released for public use, and Google docs have been around much longer than since yesterday.
Maybe Google has decided to keep all images, even after you delete a document; like, Facebook has decided to keep all images even after you close your account.
Ha, I was reading the opinions about what Beta means. While there are general qualities which define the Beta state, the only source which would provide a satisfactory definition in terms of Google’s beta status would be straight from the horse’s mouth. Neeeeyahaahaha.
I’m dismayed that Google Docs still has dirty HTML years after it was called Writely, then acquired. There are numerous UI quirks and strange omissions, such as lack of ability to strip excess rich tags (for when you want to remove different-colored fonts from a doc).
Also, once an image is uploaded, I don’t know any way to save it back to disk easily — right-clicking doesn’t work. Does anyone know a solution?
i have never used google docs before, but i keep hearing from people how convenient it really is, especially when working docs that needs to be viewed and edited by several people. but sometimes google makes me nervous, its like everything i do involves google in some way, very big brother like. take a look at this new digital security resource site (www.justaskgemalto.com), it has a lot of really important useful information. as our lives become fully digital, its good to be aware and have that digital smarts.
Be especially wary of online documents. Even though you deleted them, you can bet Google has a backup somewhere. Therefore be careful not to put anything on these files that you would want people to know even years down the line, especially if you’re running for office, planning to do something illegal, have financial information, etc.
it’s much better to be secure all the time
Twitter’s internal systems have just been hacked into, along with the accounts of Twitter users (including celebrities):
http://www.tima...via_google_apps
The initial point of entry wasn’t a gap in Twitter’s security. The hacker(s) gained access through a Google Apps account. The worry with a Google account is, it’s web-based and therefore only as secure as the rest of the Internet. If yuor Google account is compromised and you use Google Docs in a serious commercial setting, your Twitter account will be the least of your worries.
You can not expect every site and function to be absolutely perfect. There is not one site in the world that does not have a loophole. Google just catches heat because of its name and great reputation. Always be careful what you put out on the internet, hackers are amazing at what they do. Stay safe.