Google Informs Docs Users Of Security Lapse

Google informed an undisclosed number of Google Docs users Friday that they may have been sharing documents they hadn't intended to share.

The company played down the impact of the security lapse, noting that less than 0.05% of all documents were affected.

A Google spokesperson did not immediately respond to a request to define the other operand in the equation -- the total number of Google Docs files being multiplied by 0.0005 -- making it impossible to determine whether 1, 10, 100, 1,000, or more documents were affected.

"As we noted in the Google Docs Help Forum yesterday, we've identified and fixed a bug where a very small percentage of users shared some of their documents inadvertently," wrote Google Docs product manager Jennifer Mazzon in a blog post Saturday. "The inadvertent sharing was limited to people with whom the document owner, or a collaborator with sharing rights, had previously shared a document. The issue affected so few users because it only could have occurred for a very small percentage of documents, and for those documents only when a specific sequence of user actions took place."

As described by Mazzon, the bug occurred when either the document owner, or someone with whom the document had been shared, selected multiple documents and presentations at once and changed the sharing permission settings. Spreadsheets were not affected.

In making its fix, Google removed the names of those who had previously been allowed to collaborate on the affected documents or to view them. Google Docs users whose documents were affected in this way have been notified and will have to add those names back, the company said.

Mazzon expressed regret for the incident and said that Google is treating it very seriously.

The last such Google Docs security lapse was reported in September, when Tim Bass, posting to the (ISC)² blog, disclosed a caching flaw that led to inadvertent document sharing in certain circumstances.

An ongoing security risk of Google Docs, or any online document-sharing service for that matter, is user error. Just as users occasionally send e-mail messages to the wrong person, they may share documents with someone by mistake.

It's also worth noting that while those using Google Docs through Google Apps Premiere Edition and Google Apps Education Edition can be forced by an administrative setting to default to a secure SSL connection, other Google Docs users must choose to connect via HTTPS. Failure to make that choice could put Google Docs users at risk in situations where cookie session hijacking is possible, such as on a public Wi-Fi network.

At the Black Hat Conference in Washington, D.C., recently, security researcher Moxie Marlinspike demonstrated how sites that allow both HTTP and HTTPS sessions may be vulnerable to a man-in-the-middle attack.

InformationWeek Analytics has published an independent analysis of the challenges around setting business priorities for next-gen Web applications. Download the report here (registration required).