We often repeat this advice from former Naked Security writer Graham Cluley: for a better understanding of how you should approach security in the cloud, simply replace all instances of the words in the cloud with the words on somebody else’s computer.
Google just handed us another opportunity to do just that.
It turns out that Google Drive has been incontinent, dribbling out private data courtesy of a security hole concerning files with embedded URLs.
When someone clicks an embedded hyperlink, they get sent to the website of a third-party website owner.
Unfortunately, the flaw was also letting the website owner – an unauthorized party – view header information, potentially including the original document that included the URL.
Google has now patched the hole, which it got wind of via its Vulnerability Reward Program.
Google downplayed the flaw last week in its blog posting, saying that the flaw only affected a “small subset” of file types in Google Drive.
It said that the glitch was relevant only if all four of these conditions apply:
The file was uploaded to Google Drive
The file was not converted to Docs, Sheets, or Slides (i.e. remained in its original format such as .pdf, .docx, etc.)
The owner changed sharing settings so that the document was available to “Anyone with the link”, and
The file contained hyperlinks to third-party HTTPS websites in its content.