unix and linux operating commands

A New Security Breach in Google Docs Revealed


 
Thread Tools Search this Thread
# 1  
Old 09-15-2008
A New Security Breach in Google Docs Revealed

I am a big fan of Google and, over time, I have started to enjoy the freedom from my desktop with Google Docs. For example, when I keep track of business expenses I have found it easier to update a Google Spreadsheet versus depending on Microsoft Excel on my laptop because I can update from anywhere in the world and share with my bookkeeper too. So, I've been using Google Docs more lately.

Today, however, I discovered a huge security breach in Google Docs. While I was in my account working on a spreadsheet I suddenly found my Google Doc account listing many documents that did not belong to me. I clicked on one of the documents and the results are in the image below, where my Google Doc session appears to have "crossed over" with another users.

Image

I decided to do a bit more exploring and take a few more screenshots, because I don't yet know how to reproduct this security breach. The image below show a Google document (fifth from the top) which is not owned by me, "owned by me". However, when I click on this mysterious "owned by me" document, it is owned by another user. Here is another screenshot below; you can click on the image for the full-screen version.

Image

Again, here is another example of the same security violation with two documents. As above, you can click on the image for a full-screen version.

Image

I contacted the owner of the Google Docs account which I had suddenly and mysteriously "crossed sessions" with today. I asked him if he was in Thailand (since a few of the documents were in Thai) and he said yes, however he say he did not have any Thai language documents in his account. However, as you can see from the screenshot, the Google Docs menu shows this person as "the owner" of a Thai language document. He also mentioned that, today, he saw "wierd documents" in his account that did not belong to him (or "normally" shared with him).

Unfortunately, I was having problems with the Internet connection in my hotel room so I could not continue to investigate the breach. When I logged back in a few hours later, everything was back to normal. So far, all is "normal" and I have not been able to repeat this breach.

I suspect the Google Docs flaw comes from a JavaScript error in how Google manages user sessions. The bottom line is that the security breach is real and dangerous. Your Google Docs, and I suspect other Google applications that use the same session management code, are vulnerable. There may be an underlying XSS vulnerability as well.


Image
Image

More...
Login or Register to Ask a Question

Previous Thread | Next Thread

2 More Discussions You Might Find Interesting

1. Red Hat

Secrets of an open source ecosystem revealed

It has always been possible to solve the puzzle of Red Hat’s success in the software business. By piecing together Red Hat’s open source ecosystem methodology for their own understanding, many businesses have had an eye on Red Hat in how to organize their open source development practices. The... (0 Replies)
Discussion started by: Linux Bot
0 Replies

2. UNIX for Dummies Questions & Answers

I revealed hidden files, now i want to hide em again

I did a reveal hidden files in Terminal trying to get songs from my ipod. now i would like to turn that off and again hide the hidden files?????Help will be greatly appreciated Thanks Eric (3 Replies)
Discussion started by: unclejessie1967
3 Replies
Login or Register to Ask a Question