Google Docs security hole may have exposed private documents
Over the weekend, some -- though not all -- users of Google Docs received notifications in their Gmail inboxes stating that some of their cloud-based documents marked as private may have been sharable with other users anyway. The problem apparently concerns marking multiple documents as private with a single command, which ended up not fulfilling that task.
Here is the text of the letter Google Docs users received, which was published over the weekend independently by multiple bloggers who use the service:
Dear Google Docs user,
We wanted to let you know about a recent issue with your Google Docs account. We've identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.
To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we've listed below the documents identified as being affected.
We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.
The Google Docs Team
Betanews also uses Google Docs for testing and other purposes; however, we did not receive this notice. Most likely, the notice was only sent to Google Docs users who had made the single-click command for privatizing multiple documents.
The notice implies a certain methodology was used for determining which documents were ordered private but still sharable, which implies that the documents in question were perhaps marked as private in some display system though not treated as private by the filing system. That fact alone points to the possibility of a much deeper security problem, one where files' permissions give indications to the outside world that they're protected, though which are treated quite differently by the underlying engine.
This is far from the first privacy incident regarding Google Docs. Last September, security consultant W. Hord Tipton discovered documents under his Google Docs account that did not belong to him. The problem in that case was "crossed sessions," as it turned out, with another user in Thailand.
Google has been contacted for further comment on this latest matter, which may be forthcoming. However, a spokesperson responded earlier to another user who happened to write for SaaS Directory, saying that Google estimates the bug only impacted one half of one hundredth of one percent of Google Docs users. "We have extensive safeguards in place to protect all documents, and are confident this was an isolated incident," the spokesperson stated.