We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Three security flaws found in Google Docs

Images accessed even if sharing rights revoked

Three flaws in Google Docs could leave private data exposed, says a security researcher.

Google Docs is an online office-productivity suite that lets users create and share word processing or spreadsheet documents. It's free for consumers, and Google also offers an enterprise version, Google Apps, with more features.

One of the flaws allows images to be accessible even if a document has been deleted or the sharing rights have been revoked, said Ade Barkah, the founder of enterprise application consultancy BlueWax, in a blog.

A person would need to have the correct URL for the image to access it, Barkah said. The flaw shows that Google Docs does not protect images with its sharing controls, he wrote.

"If you've shared a document containing embedded images with someone, that person will always be able to view those images. If you embed an image into a protected document, you'd expect the image to be protected too. The end result is a potential privacy leak."

The second problem allows users to see all versions of an image that's been modified. For example, if a user wanted to redact part of an image and share it, the user who has access to it could modify the URL of that image to see previous versions.

Barkah said that items such as diagrams are rasterised into a .PNG image. When the diagram is modified, Google Docs creates a new rasterised image but preserves old versions with a unique URL. By changing a numeral in the URL, the old diagram can be seen.

Barkah also found a third problem but is not releasing details on it just yet. It appears to allow people who once had access to someone's Google Docs to still get access even if access rights have been changed.

Google was notified of the issues on March 18, and Barkah said he was in touch with Google's security team. In a statement, Google said they are investigating but that "we do not believe there are significant security issues with Google Docs".

If accurate, Barkah's discoveries are likely to fuel calls that the company needs to do a thorough security review of its cloud-based applications.

Earlier this month, Google acknowledged that a glitch in Docs caused some documents to be exposed to users without proper permission.

The problem occurred among users who had previously shared documents. The company said it affect fewer than 0.05 percent of documents.

IDG UK Sites

LG G4 Note UK release date and specification rumours: Samsung Galaxy Note 5 killer could be the LG 3......

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 off Retina iMac with new model