Google Docs flaw could allow others to see personal files

Share this article:
Updated on Tuesday, Sept. 16 at 6:45 p.m. EST

A security researcher said he has discovered a vulnerability in Google Docs that mysteriously allows private documents to appear in other users' accounts.

Tim Bass, a researcher posting Monday on the ISC(2) blog, wrote that when he recently was using his Google Docs account he found that it was listing documents as "owned" by him but that did not belong to him.

In his case, he discovered documents written in Thai. When Bass contacted the owner of those files, that person also mentioned that his account contained documents not owed by him or normally shared with him.

Bass said he suspects a JavaScript error in the way in which Google manages user sessions is to blame. A Google spokeswoman said Tuesday afternoon that the company was prepping a fix.

Google Docs is a web-based application that saves files not to a user's desktop -- as is the case with programs such as Microsoft Office -- but to Google servers so users can retrieve documents from anywhere using the internet.

"The bottom line is that the security breach is real and dangerous," Bass said. "Your Google Docs, and I suspect other Google applications that use the same session management code, are vulnerable. There may be an underlying XSS (cross-site scripting) vulnerability as well."

A Google spokeswoman could not immediately be reached for comment on Tuesday.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.