Monday, March 30, 2009

More security flaws found in Google's "Cloud Computing Services"

The big news on the privacy front these days is the discovery of a bug that allowed the sharing of people's cloud-based documents (i.e. Gmail, Google Docs, Google Calendar, Picasa, and Google Desktop) with unauthorized users. This discovery led to the Electronic Privacy Information Center asking the Federal Trade Commission to investigate Google's cloud security promises.

According to EPIC's own argument summary:

This complaint concerns privacy and security risks associated with the provision of “Cloud Computing Services” by Google, Inc. to American consumers, businesses, and federal agencies of the United States government. Recent reports indicate that Google does not adequately safeguard the confidential information that it obtains.

Given the previous opinions of the Federal Trade Commission regarding the obligation of service providers to ensure security, EPIC hereby petitions the Federal Trade Commission to open an investigation into Google’s Cloud Computing Services, to determine the adequacy of the privacy and security safeguards, to assess the representations made by the firm regarding these services, to determine whether the firm has engaged in unfair and/or deceptive trade practices, and to take any such measures as are necessary, including to enjoin Google from offering such services until safeguards are verifiably established.

Such action by the Commission is necessary to ensure the safety and security of information submitted to Google by American consumers, American businesses, and American federal agencies.


Now, compounding the increasing pressure on Google, as well as the continued unwanted bad press it's been getting, a security analyst says he's found three glitches in Google Docs that could expose private data.

As I've detailed on this blog before, Google doesn't have the best record on privacy related issues, with an almost hostile relationship developing in recent months between the company and privacy advocates. Apparently this trend is continuing without any signs of abating.

Reuters reports:

Google Docs is an online office productivity suite that lets users create and share word processing or spreadsheet documents. It's free for consumers, and Google also offers an enterprise version, Google Apps, with more features.

One of the flaws allows images to be accessible even if a document has been deleted or the sharing rights have been revoked, wrote Ade Barkah, the founder of BlueWax, an enterprise application consultancy based in Toronto.


...

The second problem allows users to see all versions of an image that's been modified. For example, if a user wanted to redact part of an image and share it, the user who has access to it could modify the URL of that image to see previous versions.

...

Barkah also found a third problem but is not releasing details on it just yet. It appears to allow people who once had access to someone's Google Docs to still get access even if access rights have been changed.

...

In a statement, Google said they are investigating but that "we do not believe there are significant security issues with Google Docs." If accurate, Barkah's discoveries are likely to fuel calls that the company needs to do a thorough security review of its cloud-based applications.

In a follow up piece by Reuters, Google attempts to answer some of the assertions made by Mr. Barkah, and hints it may address some of the core concerns he raised:

Google evidently sees some merit in Barkah's report. Google has added information regarding Barkah's observations to its Docs "help" pages about creating drawings and about adding viewers and collaborators to documents. In addition, Google may make changes to Docs as a result of Barkah's report. "We are also exploring alternative design options that might further address the concerns. We'd like to thank the researcher for sharing his concerns with us," Rochelle wrote.

...

Rochelle countered that images are kept independently of the documents in which they appear for fear that deleting them would break references to them in other documents and external blogs. "In addition, image URLs are known only to users who have at some point had access to the document the image is embedded in, and could therefore have saved the image anyway -- which is fully expected," Rochelle wrote. Ultimately, document owners can request that images be purged from their account by sending an e-mail to Google's support team at docsimagedelete@google.com.

...

In his response, Rochelle points out that allowing collaborators to view a document's revision history is a Docs feature, and that the only people who could see past revisions of a drawing are those who have been given access to the document.

...

Barkah didn't detail his final concern in his report to give Google time to troubleshoot it, but said that it allowed, in some cases, contributors whose access to a document has been removed to get back into it without the owner's knowledge and permission. Rochelle explained that the scenario involves the use of a Docs feature that allows invitations to access documents to be forwarded to more than one person. Google added this feature in response to requests from users who wanted to forward invitations and share documents with e-mail lists.

"Invitations sent using this feature contain a special key on the document link. This feature can be disabled at any time to expire previously distributed invitations which contain that special key. To do this, simply disable this feature by unchecking it -- in documents and presentations, it's called 'invitations may be used by anyone' and in spreadsheets it's 'editors can share this item,'" Rochelle wrote.

Barkah has not responded yet to Google's rebuttals...so stay tuned...

No comments: