Recently we’ve been looking into using google docs to remove some of the headache of read only and lock file issues that are a frequent occurrence on network drive shares. While Google Docs is for the most part quite promising we ran into an interesting and somewhat frightening snag that we’ve since reported to Google. As with any service this large there are bound to be some oversights that turn up only in widespread use. I’ve been unable to find if this issue has already been posted elsewhere. So here’s what we found.
A user creates a new Google docs document,
then sends an invitation to share this document with several email addresses via the share option,
the email containing a link to the shared document invitation is received via company email,
recipient clicks the link in the email within their mail client,
next typically you’re either prompted to log in to google docs and accept or reject the invitation to view the document, or if you’re already logged into your Gmail account it takes you straight to the accept or reject invitation screen.
You press accept and view the document.
Stop and think about that… the invitation was sent to a company email address, not a Gmail address. Shouldn’t that invitation be only for that email address? Or at least limited to the set of emails that were invited when the bulk invite was sent out?
Yet if I can get a hold of that link and put it in a browser you can log into say your personal Gmail account and get access to the same document. What we found in testing was that anyone who got a hold of the link could log into their Gmail account and still view the document.
With the amount of schools and businesses already migrated over to Google docs I’m surprised this hasn’t been resolved yet.
How big a deal is this? It really depends what’s in the document you’re sharing however anyone who can sniff out that link and sign up for a Gmail account can gain access to the document.
Whether by sniffing your network traffic packets , sniffing your mail server or mail relays, snooping via compromised machine or email account, email being forwarded to an insecure or unintended address, or a shady client even being able to take a quick photo of your screen while the URL is in view – so long as they can get that doc share invitation link and type it in their browser they can now access it via any Google docs or Gmail account they have access to even though the invite may have only been intended for firstname.lastname@example.org
Only send share invitations to other Gmail accounts. Google docs to Gmail communication should stay on internal Googles internal network and never go out on the web. Post the link only in secured locations.
Or instead of sending out share invitations send an email with a URL straight to the Google docs URL for the document. The user clicking the link will first have to log in to their Gmail/Google docs then will have to request access to that document before they can view it. This can be approved or denied at your discretion.
If Google were to allow users to encrypt their email via PGP or some other means before sending the link could not be sniffed in plain text.
However the above does not really address the simpler underlying security issue that an invitation to share a document should (unless otherwise stated in bold red) only be usable by the address the invitation was sent to.
It may seem convenient that if someone sends a Google docs invite to your @business.com account you can click on the link and sign in with your personal Gmail since you don’t have Google docs tied to your @business address however that means that it’s convenient for anyone else to do so too if they can find a way to capture that link.
Yes – often these invitations are read only however imagine the bounty of company and school documents that could be quite harmful in the wrong hands – read only or not. Personal and proprietary data, exam questions, you name it. If a business has migrated to Google docs it’s all there if you can sleuth out the link.
Note: Another solution has been brought to our attention from the Google help forums:
Use Share->See who has access… Go to the Advanced permissions tab and untick both Allow editors to invite others to edit or view and Allow invitations to be forwarded , then click Save&Close.;
se Share->See who has access… and on the People with access tab make sure the general setting is Sign-in is required to view this item. Again click Save&Close.;
A quick test of these settings seems to plug the hole. However the scare remains that the default settings are quite insecure and few Google docs users are likely to be aware of the security implications of those settings.
SEO news blog post by Dave Davies, CEO @ 6:42 pm on March 5, 2010