Google has patched a security issue in its Drive application that exposes Drive document URLS to third parties for newly shared documents.
According to Google’s technical program manager, Kevin Stadmeyer, the requirements for the issue to come to light are numerous. If a file containing hyperlinks to third-party HTTPS websites were uploaded to Google Drive and not converted to the Google formats known as Docs, Sheets or Slides (i.e., if they remained in its original format such as .pdf, .docx, etc.), the administrators of those third-party sites could potentially receive header information showing the URL of that shared document.
In plain language, it means that administrators of documents containing hyperlinks can’t guarantee the privacy of the Google Drive group’s information. Drive isn't alone here – Dropbox suffered a similar issue recently.
The flaw is only active if the owner changes sharing settings so that the document was available to “anyone with the link” – but this is a common setting for Drive users that need to give participants autonomy to share materials with their teams.
“Today’s update to Drive takes extra precaution by ensuring that newly shared documents with hyperlinks to third-party HTTPS websites will not inadvertently relay the original document’s URL,” Stadmeyer noted, adding that no links shared on Google Drive moving forward will be affected by the issue.
However, existing shared links will need to be updated to avoid potential exposure. To do that, users should follow three steps, according to Google:
- Create a copy of the document, via File > “Make a copy…”
- Share the copy of the document with particular people or via a new shareable link, via the “Share” button
- Delete the original document
Google was alerted to the issue via its Vulnerability Reward Program, it said, though no word has been given on whether the responsible researcher was paid.