Google plays down security concerns over Docs

It says the issues raised by a security analyst aren't 'significant'

Google Docs users shouldn't lose sleep over the security concerns a security analyst has raised about the hosted suite of office productivity applications, Google said late Friday.

In an official blog posting, Jonathan Rochelle, Google Docs' product manager, details why the company has determined that the issues included in the analyst's report are far from critical.

Google's conclusions aren't a surprise. Hours after Ade Barkah published his report on Thursday, Google responded with a preliminary statement saying it was investigating the matter but that it didn't believe there were significant security issues with Docs.

Nonetheless, Google evidently sees some merit in Barkah's report. Google has added information regarding Barkah's observations to its Docs "help" pages about creating drawings and about adding viewers and collaborators to documents.

In addition, Google may make changes to Docs as a result of Barkah's report.

"We are also exploring alternative design options that might further address the concerns. We'd like to thank the researcher for sharing his concerns with us," Rochelle wrote.

Asked for comment about Rochelle's blog post, Barkah indicated that he's not done with his security analysis of Google Docs. "At this time, new details and test scenarios are still emerging.

I appreciate the excellent feedback I'm receiving from Google Security. I am continuing to share my most recent findings with them, and will be able to comment further once our analysis is complete," he said via e-mail.

Google Docs is a free, standalone product, as well as a component in the broader collaboration and communication suite Google Apps, which comes in free and fee-based versions and is designed for workplace use.

Barkah, founder of BlueWax, an enterprise application consultancy based in Toronto, highlighted what he considered three flaws in the way files are shared in Docs, which lets people invite others to view and edit their word processing documents, spreadsheets and presentations.

First, Barkah noted that images inserted into a document are assigned their own URL, so that someone who has been given access to the document can continue to call up the image even if the document is deleted or if the document owner removes their access rights.

"If you embed an image into a protected document, you'd expect the image to be protected too. The end result is a potential privacy leak," Barkah wrote.

Rochelle countered that images are kept independently of the documents in which they appear for fear that deleting them would break references to them in other documents and external blogs.

"In addition, image URLs are known only to users who have at some point had access to the document the image is embedded in, and could therefore have saved the image anyway -- which is fully expected," Rochelle wrote.

Ultimately, document owners can request that images be purged from their account by sending an e-mail to Google's support team at

The second observation Barkah made concerned the ability of someone with whom a document is shared to view all versions of any diagram contained in it by modifying the image's URL.

In his response, Rochelle points out that allowing collaborators to view a document's revision history is a Docs feature, and that the only people who could see past revisions of a drawing are those who have been given access to the document.

"We may consider explicitly preventing viewers from accessing drawing revisions," Rochelle wrote. "For now, if document owners decide they don't want viewers to have access to their revisions, they can simply make a new copy of the document -- from the File menu -- and share that new version. The revision history of both the document and all embedded drawings is removed in copies of documents."

Barkah didn't detail his final concern in his report to give Google time to troubleshoot it, but said that it allowed, in some cases, contributors whose access to a document has been removed to get back into it without the owner's knowledge and permission.

Rochelle explained that the scenario involves the use of a Docs feature that allows invitations to access documents to be forwarded to more than one person. Google added this feature in response to requests from users who wanted to forward invitations and share documents with e-mail lists.

"Invitations sent using this feature contain a special key on the document link. This feature can be disabled at any time to expire previously distributed invitations which contain that special key. To do this, simply disable this feature by unchecking it -- in documents and presentations, it's called 'invitations may be used by anyone' and in spreadsheets it's 'editors can share this item,'" Rochelle wrote.

Privacy and security controls in Google's hosted applications have been in the news recently.

Last week, the Electronic Privacy Information Center filed a complaint asking the U.S. Federal Trade Commission to stop Google from offering hosted services that collect data until privacy controls can be verified.

Earlier this month, Google acknowledged that a glitch in Docs caused some documents to be exposed to users without proper permission.

The problem occurred among users who had previously shared documents. The company said it affected fewer than 0.5 percent of documents.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityprivacyGoogleGoogle Docs

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juan Carlos Perez

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >




Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?