Google Drive privacy warning – could yours have leaked data?

Shared files sent via Google Drive could have shared more than their senders intended, Google admitted this week – in a Google Drive privacy post where the internet giant admitted that certain file types could be visible to people other than their intended recipients.

Google recently updated Drive with tools to make it more appealing for business, but the storage system is already commonly used in business to share and edit files. Google has issued detailed instructions for Google Drive users who fear they may have shared confidential information.

Google has patched the Google Drive privacy problem, and issued detailed instructions on what file types are affected (files created in other programs and stored unconverted in Google Drive, and shared with ‘anyone who has the link’).

Infoworld says, “Google’s handling of the matter is further evidence that the company has a good nose for how to deal with such exploits. But here’s also hoping Google applies the lessons from this discovery to all its services.”

Google Drive privacy – who can read my files?

Veteran security researcher and We Live Security contributor Graham Cluley, writing on the Intralinks blog, says that the leak, “underlines the unexpected dangers which can arise from allowing “anyone who has the link” to access your private data without further authentication.”

Google’s Drive privacy post explains which files may be at risk – yours are only at risk if they fulfill ALL of the following conditions;

  1. The file has to have been uploaded to Google Drive, and shared with ‘anyone who has the link’
  2. It has to have remained in its original format (ie .docx), without being converted to Google Drive formats such as Docs
  3. It has to have contained links to third-party HTTPS websites

If this is the case, admins on the third-party website may have been able to see a URL which allowed them to click through to sensitive data.

Cluley points out that in certain business scenarios – such as corporate takeover bids – this could plausibly have resulted in the target of such a bid being able to read the details freely online.

What do do if you’re worried about Google Drive privacy

Google has patched the issue – so that any documents shared via the service going forward will no longer be affected by the privacy problem.

This, however, does not affect documents that have already been shared via the service. Google Technical Program Manager Kevin Stadmeyer advises, “If one of your previously shared documents meets all four of the criteria above, you can generate a new sharing link with the following steps:

  1. Create a copy of the document, via File > “Make a copy…”
  2. Share the copy of the document with particular people or via a new shareable link, via the “Share” button
  3. Delete the original document.

In its guide to using Google Drive privately, the company advises users to make sure that documents are shared correctly – i.e. users should think carefully about whether ‘anyone who has the link’ is an appropriate setting for a confidential file…

Author , We Live Security

Follow us

Copyright © 2017 ESET, All Rights Reserved.