Three flaws in Google Docs could leave private data exposed, says a security researcher.
Google Docs is an online office-productivity suite that lets users create and share word processing or spreadsheet documents. It's free for consumers, and Google also offers an enterprise version, Google Apps, with more features.
One of the flaws allows images to be accessible even if a document has been deleted or the sharing rights have been revoked, said Ade Barkah, the founder of enterprise application consultancy BlueWax, in a blog.
A person would need to have the correct URL for the image to access it, Barkah said. The flaw shows that Google Docs does not protect images with its sharing controls, he wrote.
"If you've shared a document containing embedded images with someone, that person will always be able to view those images. If you embed an image into a protected document, you'd expect the image to be protected too. The end result is a potential privacy leak."
The second problem allows users to see all versions of an image that's been modified. For example, if a user wanted to redact part of an image and share it, the user who has access to it could modify the URL of that image to see previous versions.
Barkah said that items such as diagrams are rasterised into a .PNG image. When the diagram is modified, Google Docs creates a new rasterised image but preserves old versions with a unique URL. By changing a numeral in the URL, the old diagram can be seen.
Barkah also found a third problem but is not releasing details on it just yet. It appears to allow people who once had access to someone's Google Docs to still get access even if access rights have been changed.
Google was notified of the issues on March 18, and Barkah said he was in touch with Google's security team. In a statement, Google said they are investigating but that "we do not believe there are significant security issues with Google Docs".
If accurate, Barkah's discoveries are likely to fuel calls that the company needs to do a thorough security review of its cloud-based applications.
Earlier this month, Google acknowledged that a glitch in Docs caused some documents to be exposed to users without proper permission.
The problem occurred among users who had previously shared documents. The company said it affect fewer than 0.05 percent of documents.