Welcome to P2PNET.net - The original daily p2p and digital news site. Always First!
Register | Login
RIAA News
Cool Stuff
MPAA News
Games / Consoles
News
Music
Movies
TV
Open Source
Mobiles
Advertising
Product News
P2P
Off Topic
Freedom
Politics
Interviews
Security
DRM
Links
Kids and Kartels
Search: 
Search
 
Web P2PNET   
   Search: 
Search
Torrent Site Tracker
MP3Rocket
 
Add real-time p2pnet headlines to YOUR site ! Click here to download our newsfeed code

Hacking Google Docs

p2pnet news view Security | P2P:- Says peekay on, well, peekay:

If you can see the image below, you’ve just hacked Google Docs:

The above image should not be accessible to you.  It’s supposed to be embedded solely within a protected Google Docs document, which I have not shared. In fact, I’ve actually deleted that document.  It shouldn’t even exist anymore.  Yet here you are, viewing my precious picture in all its glory, nakedly served by Google servers,  outside of the protective Docs environment.

Is this a neat hack? Or is there more to it – a lot more, perhaps?

The latter, says peekay.

At the end of his post, “Note,” he says, “These findings are based upon my investigations stemming from Issue #1 above.  I disclosed this particular issue to Google on March 18.  I tend to follow rfpuppy’s Full Disclosure Policy and so waited five business days for Google to comment.  I’ve yet received any response from Google other than the usual automated, canned reply (which I don’t consider a real response.)”

Google responds on its blog, but first, what’s all the fuss about?

With a “massive blunder on Google’s part,” as TechCrunch described in in the background, problems – three of them – are summarised like this, says peekay:

  1. No protection for embedded images
  2. File revision flashback
  3. I’ll help myself to your Docs, thanks

The issue revealed by TechCrunch was down to the fact a Google  failure meant the company had to send a notice to a, “number of users of its Document and Spreadsheets products stating that it may have inadvertently shared some of their documents with contacts who were never granted access to them”.

Google apologised “for the inconvenience that this issue may have caused,” saying it was,  “treating this issue with the highest priority”.

Of item #1, “embedded images are not protected by the sharing controls,” says peekay [the emphasis is his].

That, he goes on, “means anyone with access to the URL can view the image” and, “If you’ve shared a document containing embedded images with someone, that person will always be able to view those images

“Even after you’ve stopped sharing the document.

“Or as the image above demonstrates, even after you’ve deleted the document [docs.google.com/File?id=dtfqs27_1f3vfmkcz_b fore ther pic at the top].

Of item #2, “In Google Docs, a diagram is a set of instructions that’s rasterized into an image (in PNG format),” says peekay, but, “Each time you modify a diagram, a new raster image is created, but the old versions remain accessible via a URL, in the format: docs.google.com/drawings/image?id=1234&…&rev=23&ac=1 ”

To view a previous version, all you have to do is change the rev= number.

And last, but not least, under item #3, peekay adds »»»

So you learned your lesson from above, and stopped sharing your documents.  You’ve kicked everyone out from your Docs.  This negates the purpose of Docs somewhat, but you’d rather be safe than sorry.

Working solo, you happily add new ideas to your secret document, patting yourself on the back before you go on a well-deserved vacation.

Too bad while you’re sipping piña coladas on the beach, those same suppliers you’ve just kicked out have added themselves back [his emphasis] to your Docs and stealing your new ideas!  What?

It’s true.  Even if you unshare a document with a person, that person can in certain cases still access your document without your permission, a serious breach of privacy.  For now I’m withholding the mechanics of when/why/how this happens, pending further research and feedback from Google if any.

But, Not a problem, reckons Google, in effect, saying in its blog »»»

… a researcher publicly reported some concerns with Google Docs. At Google, we treat the privacy and integrity of our users’ data with the highest priority. We quickly investigated, and we believe that these concerns do not pose a significant security risk to our users.

Head on over to Google if you want details about why it says not to worry but meanwhile, as peekay says of item #2 »»»

It’s 4am and you’re been working all night on a document.   This document contains a Docs diagram, blueprinting that million-dollar-idea you have in your head.

You want to share this document with potential suppliers, but you don’t want to reveal all of your secrets just yet.   So you diligently redact the diagram, removing all the sensitive parts of the blueprints.  Satisfied that your idea is safe, you share the document (view-only).

Next thing you know, your idea has been stolen.  A Chinese company quickly ships knockoffs based on your complete blueprints.  What happened?

Unknown to you, anyone you shared the document with can view any version of any diagram [peekay's emphasis] embedded in the document.  The fact that you’ve deleted sensitive parts of the diagram doesn’t matter, because the viewer can see the older versions.

Says Google »»»

The second concern that the researcher raised is that viewers may be able to see revisions of drawings that are included in a document, using the new “Insert Drawing” feature. The ability for document collaborators to view revision history is a feature built into Docs. The ability to view past versions of the drawings is limited to authorized persons who have been given explicit access to the document with the embedded drawing. We may consider explicitly preventing viewers from accessing drawing revisions. For now, if document owners decide they don’t want viewers to have access to their revisions, they can simply make a new copy of the document (from the File menu) and share that new version. The revision history of both the document and all embedded drawings is removed in copies of documents.

At the beginning of his post, “Update 3/26: I’m now in contact with Google Security,” says peekay, adding:

“Update 3/28: I’m aware of Google’s official response to the issues raised in this blog.  I am continuing to share my findings with Google Security and appreciate the excellent feedback they are providing me.  It would be premature for me to provide further comment at this time.”

Adds Google, “We have begun adding more documentation in the Help Center here and here to describe in more detail the functions related to each concern. We are also exploring alternative design options that might further address the concerns.”

Stay tuned.

peekay – Security issues with Google Docs, March 26, 2009
TechCrunch – Google Privacy Blunder Shares Your Docs Without Permission, March 7, 2009

Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

This entry was posted on Monday, March 30th, 2009 at 7:59 am and is filed under P2P, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

HOME

Viewed 3121 times

« previous p2pnet to McAfee: Pay us what you owe!
Tweet © ? next »

One Response to “Hacking Google Docs”

  1. Micheal Smith Says:
    April 5th, 2009 at 9:09 pm

    Good work and it is really easy…
    ___________________________________________________________________________________________________________________
    Micheal Smith

Leave a Reply

Please no Spam, flaming (attacking others), trolling, and posting off-topic. Thanks.

    Advertisements
TekSavvy


Remove Spyware with AntiSpyware for Windows®