Friday, March 27, 2009 7:34 PM
Yesterday, a researcher publicly reported some concerns with Google Docs. At Google, we treat the privacy and integrity of our users' data with the highest priority. We quickly investigated, and we believe that these concerns do not pose a significant security risk to our users. If you want the details, read on...The first concern that the researcher raised is that an image embedded in a document is not deleted when a document is deleted. Images are maintained because removing them would break image references in users' other Google documents and external blogs. In addition, image URLs are known only to users who have at some point had access to the document the image is embedded in, and could therefore have saved the image anyway (which is fully expected). You can always contact support to purge images from your account.
The second concern that the researcher raised is that viewers may be able to see revisions of drawings that are included in a document, using the new "Insert Drawing" feature. The ability for document collaborators to view revision history is a feature built into Docs. The ability to view past versions of the drawings is limited to authorized persons who have been given explicit access to the document with the embedded drawing. We may consider explicitly preventing viewers from accessing drawing revisions. For now, if document owners decide they don't want viewers to have access to their revisions, they can simply make a new copy of the document (from the File menu) and share that new version. The revision history of both the document and all embedded drawings is removed in copies of documents.
The final concern that the researcher raised is that users removed from documents can, in a specific case, regain access to them. The specific case is related to the use of a feature which allows document invitations to be forwarded to more than one person. That feature was provided in response to user requests for "invitation forwarding" and sharing documents with email lists. Invitations sent using this feature contain a special key on the document link. This feature can be disabled at any time to expire previously distributed invitations which contain that special key. To do this, simply disable this feature by unchecking it (in documents and presentations, it's called "invitations may be used by anyone" and in spreadsheets it's "editors can share this item").
We have begun adding more documentation in the Help Center here and here to describe in more detail the functions related to each concern. We are also exploring alternative design options that might further address the concerns.
We'd like to thank the researcher for sharing his concerns with us. We always welcome your feedback on our products, and thank you for your continued support.
[Update 3/28/09: I failed to mention the researcher's name in the original post. His name is Ade Barkah]
20 comments:
The fact that images are not erased from Google Docs can be misused to let Google Docs act as a storage for abusive images. The images may be referenced by websites while the documents and even the entire Google Account have been deleted...
I am surprise to hear this kind of response from Google.. It only takes some hacker to write up something that will retrieve every single image from the Google doc server and publish them on the web.
This is a design oversight from Google and Google should acknowledge it and don't downplay the security concern.
I wonder if Twitter suffers from the same issue. Here is the URL for the background image for Guy Kawasaki's Twitter page: http://s3.amazonaws.com/twitter_production/profile_background_images/6773197/main-bg-russian.jpg
Note that it is hosted on AWS. I guess I will have to check. Stay tuned. @stiennon
Nope Twitter does not save image files after you upload a new one.
It is bad enough that you have allowed Canadian Pharmacy to open up hundreds of groups for spamming but now you are letting them use docs to spam twice as much!!!!! When are you going to stop this illegal activity?
I agree with Google's position, as long as the image URLs are unguessable. If they are guessable or discoverable given the document or account name, then this is indeed a security concern.
The rest of the issues reflect exactly the copy-on-share nature of the web, and are not security issues. Somehow making this more apparent in the UI would be helpful for users however.
I also agree with the official standpoint for the most.
I disagree on the image saving policy. It is not possible for the user to see which images are actually still saved on his account - somewhere hidden in the system. Of course the user might have some time uploaded the image, but maybe he doesn't want this data to be "publically available" anymore. Let me stress the anymore, because let's just assume some user who had access to the document before saved the image link and now shares this link with users who should not have access.
Maybe this picture contained precious company information which should not be available anymore.
My suggestion: To be able to see which files are still saved somewhere, so the user can select to purge these files himself.
The e-mail stated docsimagedelete(at)google.com - what images will actually be deleted? Can I specify to delete all images which are not referenced in any document anywhere? Shouldn't that be the default? If all references are deleted, delete the image aswell?
> In addition, image URLs are known only
> to users who have at some point
> had access to the document the
> image is embedded in, and could
> therefore have saved the image
> anyway (which is fully expected).
I've actually found photos from an invite-only protected Picasa Web Album which were publicy indexed in Google Images. It may be likely that the album was public at the time of indexing, but this gives some perspective to your "users who have at some point had access" argument. As with Google Docs, the problem with Picasa Web Albums is that the image URLs themselves are not protected themselves, other than by cryptic URLs. This is way, way safer than non-cryptic URLs, of course, but not quite as safe as fully password-protected image URLs... in particular when it comes to triggering unforeseen, privacy hurting side-effects.
I liked it from day one... I would suggest if you could also add Line spacing option. google doc will end the need of Microsoft word.
let's just assume some user who had access to the document before saved the image link and now shares this link with users who should not have access.
Let me rephrase: let's assume some user who had access to the document before saved the image to disk, and now shares this link with users who should not have access...
Data copying is at the heart of the Internet, so you cannot prevent authorized users from disseminating information they once had access to. Adding this feature to Google Docs results in a false sense of security. That's worse IMO.
This is way, way safer than non-cryptic URLs, of course, but not quite as safe as fully password-protected image URLs
Actually, the URLs are safer than password-protection. Crypographically unguessable URLs are capabilities.
It is a gross violation of user expectations and privacy if Google is indexing images the user intends to keep private however.
> Actually, the URLs are safer
> than password-protection.
> Crypographically unguessable
> URLs are capabilities.
Yes and no. Passwords are *not* as typically pasted in document sources etc. ... and it is also not as socially clear at all times whether a URL is "meant" to be a password etc. Also, passwords (when done right) are not indexed by search bots, which is however what happened with the Picasa Web Album I came across. There are simply more unwanted (bugs...) as well as wanted (easy sharing) side effects that can happen with unlisted URLs... one just shouldn't call unlisted URLs "private" or "fully protected".
PS: I think it's also wrong to say that a cryptic URL file is e.g. "fully public" and "merely obfuscated by a hard to guess URL", as I recently read in a blog, which then shared the image by including it in the blog post (because you might also paste the password in the blog post and then say it's a security issue of the product because the password is "merely hard to guess"). The problem between unlisted and really-password-protected URLs -- and the mixing between the two in some products, like Google Docs image inclusion -- is a more subtle one, IMO.
Why are people surprised? This lack of security is clearly stated in the google terms of service: Section 11.1 " . . . you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services." The license is perpetual for all content, it doesn't end just because you mark it as private or deleted the content or the account. So legally, since we agreed to this license, google can do this. Morally, that is another question. I think google should modify their terms more like Yahoos, which does end upon deletion of content or account, and does distinguish between public and private content.
Ohh boy. I have no idea what you guys are talking about.
GRAMMAR POLICE: The text introducing your new Google Docs service, CADIE, at least twice commits the same grammatical mistake. "Google Docs, now enhanced with CADIE technology, creates your Docs for you – without you ever providing any actual input!" The word should be "your ever" not "you ever."
Also in the following: "Google Docs, now enhanced with CADIE technology, can help you create or improve upon all of your documents, spreadsheets and presentations – without you lifting a finger!" Again, the word should be possessive: "without your lifting" rather than "without you."
Finally, I would clean up the sentence by deleting "upon all of"--but you might find that picayune.
Not quite sure where everyone is going with this, but this blog rocks!
Jack O'Sullivan
Bedroom Sets
Can anyone read that chinese text??? I am curious as to what they are selling.
Jack O'Sullivan
Men's Dress Shoes
Bedroom Furniture Sets
that is good to know. thanks for the insight.
Jay Stevens
Cyber Monday, Gunvault Safes, Umbilical Cord
Please do something with login when session expires. It is so annoying to find typed text will not be saved, refresh and log in in another view. Make a js prompt and Ajax login, so the typed data wont be lost. Some of us work whole day with the docs and when idle for some time, the constant refresh/login is very annoying.
Sent an email about it too but obviously nobody reads them nowadays. No answer.
Post a Comment