Longer version: I received a link to a Google doc on slack recently, but the owner had forgotten to share permissions with me. Though I couldn't view the doc when I clicked it, I did notice that I could view the first page of the doc in the link preview. It was very high res and I could view the text clearly. Isn't this a security vulnerability worth plugging? I reported it to Google, but they responded with:
"Hi! We've decided that the issue you reported is not severe enough for us to track it as a security bug: when someone with access to a doc sends a link over slack, they express their intent to share this document, hence the preview shared independently from the sharing setup on the doc does not represent a significant risk."
I tried responding that many people have Google Drive links exposed even publicly, but they assume that only those with access can view them. But I got the same response pretty much. Am I missing something here, or is this an oversight by Google?
I agree that it's poor behavior and potentially could be part of a critical security compromise. But you'd need to get a hold of the right team. The Google Docs core engineers probably don't care and couldn't fix it anyway.
I don't know for sure (and can't check now since I no longer work there), but my impression at a former job that made heavy use of Slack and Google Docs was that in a corporate setting with Google Enterprise or whatever it's called, the Slack integration was far more cautious about showing previews. It even alerted you if you posted a document that not everyone in the channel could view, and gave you the ability to grant them access right then and there. IIRC, previews were hidden if you didn't have access. I don't know if that is a different plugin or just better behavior in a corporate setting.
I probably wouldn't have posted this if I had received this explanation from Google. :)
This was their response: "Hi! We've decided that the issue you reported is not severe enough for us to track it as a security bug: when someone with access to a doc sends a link over slack, they express their intent to share this document, hence the preview shared independently from the sharing setup on the doc does not represent a significant risk."
It is not intuitive if you are not used to how security really works, which is that permissions are granted to masks that you wear, not to any real person. When you give slack permissions to use the drive integration, you are giving them a copy of your mask, and they are you, even unexpectedly. You have a (subconscious) reflex to automatically create and share screenshots of documents that you link, that you have trained via slack's hook. Remove that integration, and everything works as expected.
It's link-bearer open access to a partial document (an entire page) an author marks as not having partial access. Circumvention of Google's authentication procedure.
Is that understanding correct?
If so, Google's seemingly OK with users believing something's secure, that isn't. And that could cause information leakage by Google's design that could lead to fraud and/or other crime.
> Is that understanding correct?
I must have phrased these 4 words poorly. I'll try harder next time.
If someone does a blog post like “Looking at the first page of 1 billion private Google Docs” they’ll fix it.
- https://news.ycombinator.com/item?id=37854159 (October 2023)
- https://news.ycombinator.com/item?id=32770709 (September 2022)
- https://twitter.com/matbennett/status/1171015871868874757 (September 2019)
So you are at least not the first one to get dismissed.
EDIT: Jogging the memory in the other threads, this happens when the person posting the link have (a) enabled the Drive integration and (b) have permission to view the document.
That said, if (a) this is only occurring with the 2 conditions you mentioned and (b) if Google Drive integrations are only allowed with vetted partners, then I suppose this is less exploitable. Someone would have to intentionally put the link into a 3rd party application that had some people who shouldn't have access.
Though it still be a problem I think, privacy is important even internally. Sometimes access needs to be revoked, or people are unaware of all the people who have access to a channel etc.
A tooltip change (warning) to the sharing view would be sufficient to address the concerns that the first page is displayed as part of the preview for those with Google Drive integrations enabled.
You should change your tl;dr to reflect that one can view a preview of the first page of a shared Google Doc, despite not having access, when provided the sharing link and with Google Drive integrations enabled.
No one reasonably expects something to be viewable in any form if you haven't given permissions for it. Having to tell the user about such a thing via a tooltip is just bad UX design.
I also wonder if Google didn't create a footgun for themselves if some genius at Google in the future decides the preview looked better if they showed 2 pages instead of one in some UI's.
Reason for disagreement is that the preview is generated once with the access rights for the user posting that link (with the permission Slacks Google Docs integration got from the posting user). For performance reason it would be quite costly to generate a preview for every viewing user since access rights could be different for every user. Also access rights can change every time, so it would be necessary to recheck permissions regularly to decide if the preview should be renewed (removed/added/changed). This also would mean users need to wait longer for the preview to generate.
So every user posting a link on Slack (or any platform which generates previews with a special integration) should be aware of that fact
If you can't do previews in a way that respects access permissions you shouldn't do them at all. This isn't a feature that is essential whereas security really is.
Moreover you really can't possibly have a security scheme that relies on every user being aware of something. Someone will either not know or will know but forget or make a mistake. Systems should be robust enough to accomodate usage by actual humans.
The reason you've been given sounds like something frowned upon in HN: a shallow dismissal.
Even if we accept their reasoning, there is still something wrong: users don't know about the behavior. There is no "warning: sharing a link to someone gives them a high resolution preview of a page of the document, which doesn't require permissions". It's not what you would assume in a document sharing system that has permissions.
So the stance that Google is taking is probably taking is that this is equivalent to the user sharing the link also sharing a screenshot as a preview. (Something that they have permission to do)
I do agree that this may be a bit surprising but the sender has "opted-in" to this behaviour when they signed into the Google Drive plugin for Slack. But I don't find Google's perspective completely unreasonable.
They closed the ticket as: 1) You had to compromise the frontend 2) We bought firebase within 120 days, so we won't bug bounty it.
Completely ignoring that the authentication could not be rolled. That was the last time I tried to disclose or improve a google product. I gave some talks about detecting the use of the same JWT across IP ranges, and using that as a litmus to revoke all user access until your application could contact the user.
Anyway, that was all to say my personal experience is that Google does not care about solving security issues and will actively suppress them until they reach some level of critical mass.
This looks like a security vulnerability to me. I pay for Google Drive, and I'm starting to distrust Google to maintain the safety of my data properly.
And yeah, I think it's ridiculous.
