News
Analyst Spots Three Flaws in Google Docs
Google denies problems, but finds could raise more questions over the safety of storing data in the cloud
By Jeremy Kirk, IDG News Service (London Bureau)
March 27, 2009 — IDG News Service — LONDON (03/27/2009) - A security analyst says he's found three glitches in Google Docs that could expose private data, but Google said the issues don't pose a security risk.
Google Docs is an online office productivity suite that lets users create and share word processing or spreadsheet documents. It's free for consumers, and Google also offers an enterprise version, Google Apps, with more features.
One of the flaws allows images to be accessible even if a document has been deleted or the sharing rights have been revoked, wrote Ade Barkah, the founder of BlueWax, an enterprise application consultancy based in Toronto.
A person would need to have the correct URL for the image to access it, Barkah wrote. The flaw shows that Google Docs does not protect images with its sharing controls, he wrote.
"If you've shared a document containing embedded images with someone, that person will always be able to view those images," he wrote. "If you embed an image into a protected document, you'd expect the image to be protected too. The end result is a potential privacy leak."
The second problem allows users to see all versions of an image that's been modified. For example, if a user wanted to redact part of an image and share it, the user who has access to it could modify the URL of that image to see previous versions.
Barkah wrote that items such as diagrams are rasterized into a .PNG image. When the diagram is modified, Google Docs creates a new rasterized image but preserves old versions with a unique URL. By changing a numeral in the URL, the old diagram can be seen.
Barkah also found a third problem but is not releasing details on it just yet. It appears to allow people who once had access to someone's Google Docs to still get access even if access rights have been changed.
Google was notified of the issues on March 18, and Barkah said he was in touch with Google's security team on Thursday. In a statement, Google said they are investigating but that "we do not believe there are significant security issues with Google Docs."
If accurate, Barkah's discoveries are likely to fuel calls that the company needs to do a thorough security review of its cloud-based applications.
Last week, the Electronic Privacy Information Center filed a complaint asking the U.S. Federal Trade Commission to stop Google from offering services that collect data until privacy controls can be verified.
google docs
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
