Security fail (Google)

Just a quick post about a little (and nasty) bug I’ve found in Google Docs. I’ve already contacted Google 2 months ago (11 Februar), but they seem to have better work (counting money or smth. like that) and I didn’t received any response nor the bug has not been fixed.

Description:

Anyone with invite link to some specific document stored in Google Docs, can view this document regardless of sharing properties defined. This includes also guest visitors of the document, and that means no signing-in to Google Docs service is required to access such a link and view private document.  Well maybe this is some kind of ultra easy accessibility feature, but for me it looks like a bug ;-)

Example:

https://docs.google.com/Doc?docid=0AYYA7ZD-UOAFZHY1bXFucV8zM2RjM3NtNmNu&hl=en

This document is private, shared only with one another account and i presume you can not view it, but if you use this link

https://docs.google.com/Doc?docid=0AYYA7ZD-UOAFZHY1bXFucV8zM2RjM3NtNmNu&hl=en&invite=CI-f3KoG

you can see it’s content. Not very optimal.

How-to reproduce:

  1. create document
  2. share it with someone
  3. use the invite link to feel like a hacker and view your own private document without being signed-in,

How-to abuse:

Well not so easily, you must get the invite link somehow. But, I think it is not so hard as it seems. The invite link works even after the original user has been disallowed to view the document, so something as revoking access to a Google Document to someone that already had access to is is only a pure dream.

Have a nice day