Google Patches Shared Links Vulnerability in Drive

Google Patches Shared Links Vulnerability in Drive

Google has fixed a security vulnerability in it’s cloud storage service, Drive, which could have leaked sensitive data to third parties.

Google has fixed a vulnerability in its Drive cloud storage service that could have exposed certain information about shared links under a particular set of circumstances. Users will need to delete and re-upload relevant files shared on Google Drive in the past in order to limit exposure.

The vulnerability could only be triggered if a Google Drive user were uploading a shared file in its original format, without converting it to Google’s Docs, Sheets, or Slides format. Furthermore, the owner would need to have changed the document’s sharing settings from the default so that it were visible “to anyone with the link.” The final criterion requires that that file or document contain an HTTPS link or links leading to third party sites.

Given these conditions, when a user follows an HTTPS link in the document, the administrator of the site referred to by the link would receive header information allowing him or her to see the URL of the original document.

“Today’s update to Drive takes extra precaution by ensuring that newly shared documents with hyperlinks to third-party HTTPS websites will not inadvertently relay the original document’s URL,” Kevin Stadmeyer, Technical Program Manager, wrote on the Google Online Security Blog.

No links shared on Google Drive moving forward will be affected by this issue. However, existing shared links will need to be updated in order to avoid potential exposure. Google is advising that users follow these steps to mitigate the problem for links shared in the past:

  1. Create a copy of the document, via File > “Make a copy…”

  2. Share the copy of the document with particular people or via a new shareable link, via the “Share” button.

  3. Delete the original document

Google notes that the vulnerability was reported to them through their vulnerability rewards program, though it doesn’t say who the researcher was or whether it paid a reward for the bug.

Suggested articles