March 27, 2009, 10:16 AM — A security analyst says he's found three glitches in Google Docs that could expose private data, but Google said the issues don't pose a security risk.
Google Docs is an online office productivity suite that lets users create and share word processing or spreadsheet documents. It's free for consumers, and Google also offers an enterprise version, Google Apps, with more features.
One of the flaws allows images to be accessible even if a document has been deleted or the sharing rights have been revoked, wrote Ade Barkah, the founder of BlueWax, an enterprise application consultancy based in Toronto.
A person would need to have the correct URL for the image to access it, Barkah wrote. The flaw shows that Google Docs does not protect images with its sharing controls, he wrote.
"If you've shared a document containing embedded images with someone, that person will always be able to view those images," he wrote. "If you embed an image into a protected document, you'd expect the image to be protected too. The end result is a potential privacy leak."
The second problem allows users to see all versions of an image that's been modified. For example, if a user wanted to redact part of an image and share it, the user who has access to it could modify the URL of that image to see previous versions.
Barkah wrote that items such as diagrams are rasterized into a .PNG image. When the diagram is modified, Google Docs creates a new rasterized image but preserves old versions with a unique URL. By changing a numeral in the URL, the old diagram can be seen.
Barkah also found a third problem but is not releasing details on it just yet. It appears to allow people who once had access to someone's Google Docs to still get access even if access rights have been changed.
Google was notified of the issues on March 18, and Barkah said he was in touch with Google's security team on Thursday. In a statement, Google said they are investigating but that "we do not believe there are significant security issues with Google Docs."
If accurate, Barkah's discoveries are likely to fuel calls that the company needs to do a thorough security review of its cloud-based applications.
Last week, the Electronic Privacy Information Center filed a complaint asking the U.S. Federal Trade Commission to stop Google from offering services that collect data until privacy controls can be verified.
Earlier this month, Google acknowledged that a glitch in Docs caused some documents to be exposed to users without proper permission. The problem occurred among users who had previously shared documents. The company said it affected fewer than 0.05 percent of documents.