A rather worrying privacy issue has been found in Google Drive, which could have led to personal or corporate information ending up in the wrong hands.
Google has now patched the security flaw, but its discovery shows the vulnerability of cloud data when accessed via a link.
The flaw posed a risk to files that included a clickable URL, which, when someone clicked on the embedded hyperlink, would issue a website link to the third-party website owner. Upon accessing this URL, the external Internet user could potentially access the original user's information.
The fault is not dissimilar to a Dropbox hyperlink disclosure vulnerability, which led to the exposure of personal documents contained on the cloud storage provider.
Google explained its fix in a blog post, which outlines the exact nature of the flaw. Only a "small subset of file types" that corresponded to the below criteria:
- The file was uploaded to Google Drive
- The file was not converted to Docs, Sheets or Slides, remaining in its original file format (.pdf, .docx, etc.)
- Within the file content were hyperlinks to third-party HTTPS websites
- Sharing settings were changed by the owner so that the document was available to "anyone with the link"
Documents with these criteria will now no longer relay the original document's URL, Google has assured users.
If your confidence in Google is low though, we'd suggest deleting any documents that do match the list above, then re-uploading them.
The case highlights the consumerisation of IT, where employees are using consumer-oriented services for work purposes – services which sometimes exhibit flaws that are harmful to organisations' privacy and security - and are putting organisations security and privacy at risk, as well as their own.