Securing your files in the cloud, Google Drive link sharing vulnerability fixed: SSO Alert Priority
15 July 2014
Google has moved to fix an issue in its Google Drive service after a vulnerability was discovered that could enable documents that were shared via a link (under particular conditions), to be exposed to unauthorised parties.
Google Drive is a cloud-based storage, file sharing, synchronisation and collaboration service.
The issue involves some file types containing hyperlinks. If you shared the file with someone and they clicked on those embedded links, the administrators of websites referenced by the links could potentially receive information about the document and gain access to it.
The issue only affects some files under certain conditions. Google’s websites states that this issue is only relevant if all of the following apply:
The file was uploaded to Google Drive
The file was not converted to Docs, Sheets, or Slides (i.e. remained in its original format such as .pdf, .docx, etc.)
The owner changed sharing settings so that the document was available to ‘Anyone with the link’
The file contained hyperlinks to third-party HTTPS websites in its content
Google has fixed the issue, however, any documents you have shared prior to the update (meeting the above scenario) will not be covered and you will need to make copies of affected files and share the link again.
Cloud storage and sharing services are extremely useful, convenient and popular, but from a security point of view, it is important to understand that you are sending your data to be stored on someone else’s computer—somewhere.
These products (like any software) have been affected by security issues in the past, and each will also take a slightly different approach to providing you with security. (Check their help pages to find out!)
Cloud services such as Dropbox or Google Drive do encrypt your stored data as or once it is loaded, but there is also a variety of free or low cost encryption packages which you can use to encrypt your files on your computer prior to uploading them.
A number of these also integrate closely with one or more of the available cloud services. This adds a separate layer of encryption before the files even leave your computer, meaning you don’t need to blindly trust the cloud provider to secure your information.
You can also set a password directly on many file types (e.g. for Microsoft Office documents go to File > Info > Protect Documents > Restrict with a password).
Other options you might consider are using compression software such as WinZip, which have options for encryption and password protection of files.
Of course, security will not be your only consideration for using these services, but like everything on the internet, you should consider any possible security and privacy risks when you sign up. For some people, minimising the security risk for their most sensitive documents includes not storing them in the cloud.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.