Reputation: 6472
Critical security issue with Google Drive when sharing file as Restricted
So it seems to me that when I share a Google Drive file using the Restricted option, that only the person I shared it with should be able to access it.
However, Google seems to think that anybody with the link should be able to access the file, whether they are logged in or not.
If the Public Link option and the Restricted option both give anybody access to the file, then what is the difference? Per issue tracker, Google seems to think this is okay. https://issuetracker.google.com/issues/215152601
Am I missing something here, or misunderstanding how this is supposed to work?
EDIT: I have more details on the issue and it is better described as this: Restricted files that have been shared with a non-Google email incorrectly still show their status as Restricted, when in reality they are accessible by Anyone with the link.
EDIT: The tracker link is not accessible to everybody, so I am reproducing the thread here. Note Google's response that this is apparently working as intended...
ME Jan 18, 2022 09:36AM
Summary: Sharing a Restricted file sends email to added user with link accessible by anyone
Steps to reproduce:
- Upload a file to google drive
- Under sharing, set the file to RESTRICTED
- Add a user to share the file with
- User receives an email that Document was shared with them
- In the email it says "This email grants access to this item without logging in. Only forward it to people you trust."
- Anybody with the link can now view the document without logging in, even though it is set to RESTRICTED
Browser/OS: Chrome/Firefox
Attack scenario: I set a senesitive/private document to RESTRICTED and share with an employee.
The employees email is hijacked and the hacker with the link can now view the document even though they have not logged in.
GOOGLE Jan 18, 2022 09:48AM
Hi! Although it may come as a surprise, this is actually working as intended.
That said – if you think we misunderstood your report, and you see a well-defined security risk, please provide a detailed
attack scenario where you demonstrate how this issue could be exploited to attack other users or Google.
Thanks again for your report and time, The Google Bug Hunter Team
ME Jan 18, 2022 10:05AM
If I RESTRICT a file to specific users, then only those specific users should be able to access the file after they have logged in.
If a link is generated that allows anybody to click on it and then view the file, then that completely bypasses the "restricted" feature altogther.
This makes "Restricted" and "Anyone with the link" exactly the same thing, because even though I have restricted it to certain users, there is a link available that anyone can use to access it.
A file set to Restricted should NOT be creating a link in an email that says "This email grants access to this item without logging in. Only forward it to people you trust."
As far as a detailed attack scenario goes, all I can tell you is that email is generally considered an insecure method of transmitting data, and if there is a link in my email that "grants access to this item without logging in" then my file is no longer Restricted to the users that have been added if my email gets hijacked or intercepted.
SOMEBODY Jan 21, 2022 03:50AM
I believe this has to work like that if you share with users (e-mail addresses) who don't have a Google account, as there's no identifier on our end that you can grant authority to.
ME Feb 15, 2022 10:31AM
The whole point of restricted sharing is that the person MUST have a google account in order to view the file ... this forces them to login so they can access it the file.
If it is functioning the way it is supposed to, what is the difference then between Restricted and Non-Restircted sharing?
If, in both cases, anybody with the link can view the file, then there is no difference and the file is not actually restricted.
ME Feb 16, 2022 12:00AM
Ok I have some additional information, and now understand better what is happening...
BETTER DESCRIPTION OF THE BUG:
- Restricted files that have been shared with a non-Google email incorrectly still show their status as Restricted, when in reality they are accessible by Anyone with the link.
When you share a RESTRICTED file with an email address that has a Google account associated with it, then the security is fine, and nobody else can view the file except the person it was shared with after they login.
However here is where the issue/bug occurs: When you share a RESTRICTED file with an email addres that does not have a Google account associated with it, you get a popup (poorly worded in my opinion) that says the email does not have a Google account associated with it, and it asks if you would like to SHARE ANYWAYS. If you select the Share Anyways, a publicly accessible link will be sent to this email address. Now anybody with this link can access the file. However the file still says that it is RESTRICTED, when in reality, as soon as you shared the public link with the non-google email, the file was no longer Restricted.
The wording for a Restricted file says: "Restricted: Only people added can open with this link." But this wording is incorrect if you have shared the file with a non-Google email.
There are two possible solutions:
SOLUTION #1 (The most secure solution)
- Restricted files should NOT be shareable with non-Google emails. This keeps the Restricted wording accurate to "Only people added can open with this link".
SOLUTION #2 (Not as secure and more prone to user error and accidentally sharing files that should not have been shared)
- When sharing a Restricted file with a non-Google email, the popup should much more ominous and say something like: "WARNING: By sharing this file with a non-Google email, the file will no longer be Restricted and will be accessible by Anyone with the link."
- This solution should also include automatically changing the file status from "Restricted" to "Anyone With The Link"
- This solution should also include a way to show whether the email is was shared with is a Google account email or a non-Google account email. This would make it easier to remove the non-Google account emails if you want to change the back to Restricted.
Upvotes: 3
Views: 4011
Answers (1)
Reputation: 76639
Do not share a link, but share it to an email address known to Google.
I'd suggest to always read the documentation, instead of mistaking assumptions as facts (which seems to be quite common these days, up to the degree to ignoring literal error messages):
https://support.google.com/a/users/answer/9308868?hl=en
Upvotes: 0
Related Questions
- Google drive unable to share
- googleapis drive unable to access shared drive files
- error: restricted_client using google drive api
- Google Drive Public File Permissions
- Is it possible to share a file publicly through Google Drive API
- Allowing publicly shared files on google cloud storage
- Insufficient permissions for this file, unable to share link, 403
- Google Drive requires authentication despite public folder access
- Google Drive android API sharing issue
- Google Drive API: Cannot copy a shared file