A security hole in data leakage is detected to third parties in Google Drive, and how to deal with it



It is possible to store necessary data on the Internet and refer to it via the Internet at any timeOnline storage serviceAlthough users are increasingly using the spread of, the other dayStorage capacity unlimited · Maximum file size 5 TB "Google Drive for Work"Had announced the serviceGoogle Drive, It was discovered that a security hole where private data leaked to an unexpected third party was discovered and it was revealed that renovation was done.

Google Online Security Blog: Google Drive update to protect to shared links
http://googleonlinesecurity.blogspot.co.uk/2014/06/google-drive-update-to-protect-to.html

Google Drive Found Leaking Private Data - Another Warning About Shared Links - Intralinks Collaborista Blog
http://blogs.intralinks.com/collaborista/2014/07/google-drive-found-leaking-private-data-warning-shared-links/

In the security hole revealed this time, the data stored on Google DriveClickable URL, And when the disclosure setting is set to "Readable by everyone who knows the link", a third party who is not permitted to browse normally can browse the file by passing through the authentication What is to say. For example, it is clear that problems occur in the following cases.

A certain company "X Company" planned to acquire "Z Company". X creates secret material to determine the offer bid and stores the PDF file containing multiple purchase plans on Google Drive. The file created as a study material is set as "shared by everyone who knows the link" so that only executives of Company X can view it, and the link to the relevant file is informed only by the appropriate executive .

In the PDF file, the URL to Z company's website to be acquired is embedded and it is possible to visit the site by just clicking. In this situation, when one of executives of company X clicks the link of the PDF file and visits the site of company Z, access from the site administrator of company Z to the PDF file which should not have the viewing authority passed , The problem of being able to see confidential information occurred.

ByMichelangelo Carrieri

Originally should not be notified to the other partyReferrer URLAlthough it was a problem that occurred because of being illegally notified, the cause of the occurrence was when all the following situations were satisfied.

· The file has been uploaded to Google Drive
· The file format is not converted to "Docs", "Sheets", "Slides" but stored as ".pdf" or ".docx"
· The owner (administrator) of the file has set the sharing setting and it is in the state of "all people who know the link can view it"
· The file must include a link to a third-party HTTPS site

According to Google, this problem has already been fixed and that referrer information has been changed so that similar files newly uploaded to Google Drive will not be sent. Even for existing files, if you have a possibility of being affected, you can create a copy of the file on the drive, make sharing settings and delete the old file OK.

Also, as a cause of causing this problem, it can be said that the file is placed in a state of "being viewable by everyone who knows the link" is also part of it, so the file sharing setting is "approved" This problem can be solved fundamentally by setting only to "specific user".

Although it seems that there are cases where it utilizes online as an online storage service which has high accessibility and merit in terms of maintenance, it is used for a system on the business side as well as private, but also when using it is meticulous It seems to be said that we need attention.

ByMbrand

in Note,   Web Service, Posted by darkhorse_log