Open Source Subnet An independent Open Source community View more

More Docs security holes, more hand-waving by Google

It's as if Google's playing into the Electronic Privacy Information Center's hands. EPIC just urged the FTC to investigate Google and its cloud-based Docs program, charging that Google's document security is not only inadequate, but also deceptive. And almost as if on cue, three new security holes have been found in Google Docs.

The latest lapses were outlined in a blog post by security researcher Ade Barkah, where he lists these main problems:

1. Embedded images. Once images are embedded in a Google Docs document, and that document is shared, those images are forever available to everyone on the access list, even after the image is removed or the entire document is deleted.

2. File revisions. Docs users can also see all versions of embedded images, even if only the latest version is shared. All it takes is a simple URL modification to view the previous version.

3. Access rights. This one is more serious, so Barkah provides few details. The upshot is that once a user chooses to share a document with someone, that someone can always access that document, even after the access rights are changed.

According to PC World, Google says the three issues are no big deal:

Google was notified of the issues on March 18, and Barkah said he was in touch with Google's security team on Thursday. In a statement, Google said they are investigating but that "we do not believe there are significant security issues with Google Docs."

Except for the fact that Docs really has no security. Perhaps Docs is solely intended as a document-sharing platform, and that's why the security is a bit lax--if you don't want to share your documents, don't use Docs. But if that's so, Google should make itself clearer. Right now, new Docs users are told:

Rest assured that your documents, spreadsheets and presentations will remain private unless you publish them to the Web or invite collaborators and/or viewers.

But what it should say is once you make that decision to share, all bets are off and even versions you kept secret before can now be viewed by everyone. How's that for security?

* * *

Like this post? Visit the Google Subnet home page for more news, blogs and podcasts.

More blog posts from Google Subnet:

Sign up for the weekly Google newsletter. (Click on News/Google News Alert.)

Join the discussion
Be the first to comment on this article. Our Commenting Policies