Google Docs serious Security Flaw

I just discovered something that I consider a serious security flaw in Google Docs. If you get invited by someone to view a Google Doc (let’s say a spreadsheet), and the person bookmarks that URL on delicious, anyone (!) is able to view the document.

I set up an example:

http://spreadsheets.google.com/ccc?key=pka1kBLVQULUUXmx_7p1Cbw&inv=mjschuster@aon.at&t=5885002335335438163&guest

This uses my personal Email Adress, with no Google Account associated. If you click on the Link, you’ll see the document that I initially set as private, with the option (in German)

  • Für die Anzeige dieses Elements ist eine Anmeldung erforderlich.
  • Datenschutz: Anmeldung immer erforderlich.

Reminds me of Helge’s discovery: http://www.helge.at/2007/04/google-revealing-email/

geschrieben am 17. December 2008 um 22:12, aktuell 7 Kommentare.

Even worse so, the trick also reveals a whole lot of email addresses.

At least when I log into docs.google.com it now lists your document, along with the Gmail addresses (the part befor the @) of anybody who has ever viewed it, apparently. Including myself, you, Bruno, Chl, Johannes, and some other folks.

This seems to be a variation of my bug report you’ve linked to: In addition to using GDocs to find out which Gmail account your friends use you can thus also use it to collect random Gmail accounts of people you manage to trick into clicking your docs link. (Something that’s not hard to achieve.)

A serious security hole if you ask me.

Comment by Helge — 22. December 2008 @ 21:56

Update: In a little experiment I sent the link to a couple of people, and I can see already who of them clicked on it already, using which Google accounts. Crazy.

Comment by Helge — 23. December 2008 @ 00:09

You don’t even need to trick people into clicking, all you need to do is to get their browser to send a request to Google (e.g. by [fake-]embedding it as iframe, img, whatever …).

The good news (for lowish values of good): The account in question needs to have been activated for Google Apps (happens when you first create a document).

Comment by chl — 23. December 2008 @ 01:43

[...] to take control of any Web 2.0 app that relies on saved cookie information. (There have also been other reports of Google Docs security issues, but we couldn’t reproduce the [...]

Pingback by Your Google Docs May Be Open to Hijacking « ArticleSave — 3. January 2009 @ 08:23

This has been fixed for quite a while now, right?

Comment by chl — 21. January 2009 @ 16:17

Kann ich nicht reproduzieren; ich erhalte

“hat nicht die erforderlichen Rechte für den Zugriff auf diese Tabelle.
Diese Einladung wurde an mjschuster@aon.at gesendet. Sie sind jedoch gerade als angemeldet. (Melden Sie sich mit anderen Nutzerinformationen an oder stellen Sie eine Anfrage für den Zugriff auf dieses Dokument)

Erfahren Sie mehr über dieses Thema in der Hilfe zu Google Text & Tabellen.”

Liebe Grüße,
Andreas

Comment by Andreas Pizsa — 27. February 2009 @ 15:40

Seems to be fixed now.

Comment by smi — 5. March 2009 @ 22:57

Leave a comment