Google Drive security updates – why things aren’t rosy

  • by
md7jmxyyrkzv72dbgdgqpk

How to share restricted files

A fairly popular problem with file sharing in Google Drive is very low security. There have already been situations when private documents of users were indexed by search engines, and strangers could enter those open for shared access. The current security update for Google Drive promises to make file sharing more secure. It sounds nice, but in fact there are still problems.

There are two ways to share files in Drive. For limited access, you must specify the email addresses of those people to whom you want to give access to the file. In this case, they will be able to navigate to the document using the link by logging into their Google account.

Google Drive security update: What is it and what do I need to do? | Tom's Guide

 

In the second case, the sharing mode grants access to everyone who has a link to the file. Its advantage is simplicity and speed: there is no need to waste time and manually enter email addresses. It is enough just to drop the file URL into the general chat with colleagues so that each of them can open the document.

 

With these settings, anyone with a link can open the file

Google Drive and other cloud services generate unique URLs for every document you create. The bottom line is that this address should be difficult to guess: that way, no one should be able to accidentally stumble upon the file by simply generating the address in the search bar. But experiments have shown that this has proven to be realistic, and many file storage and sharing platforms are vulnerable to URL-substitution attacks.

Several years ago, Google updated the method for generating URLs to make them more secure. But the files you shared before 2017 were not affected by this update, and their URLs are still in the old format. It is to them that the new Disk update is applied, which will add an additional parameter called resourcekey to the address. Anyone who already had access to the file will be able to enter it without any problems using the old link, and new users will have to request access to the file from the owner of the file.

With these settings, anyone with a link can open the file

If you have applied file sharing to some old links in your cloud and forgot about them, a security update will prevent attackers from guessing these URLs and gaining access to them

But not everything is so rosy. A security update makes it harder for brute-force link detection, but there are other ways in which file sharing can expose sensitive data.

The problem is that users often use link exchanges to collaborate on sensitive documents. In such cases, their data remains safe as long as the link to the shared document is not broadcast anywhere and falls into unwanted hands. And there is no guarantee that this will not happen. For example, if you forget to remove a former employee from the restricted list, they will still be able to view documents.

In any case, remember, if you do not want the contents of your files to become public or hackers’ hands, carefully monitor who you share access with.

Leave a Reply

Your email address will not be published.