tldr; You can view a preview of private Google Docs despite not having access, as long as you have the doc's link.<p>Longer version:
I received a link to a Google doc on slack recently, but the owner had forgotten to share permissions with me. Though I couldn't view the doc when I clicked it, I did notice that I could view the first page of the doc in the link preview. It was very high res and I could view the text clearly. Isn't this a security vulnerability worth plugging? I reported it to Google, but they responded with:<p>"Hi! We've decided that the issue you reported is not severe enough for us to track it as a security bug: when someone with access to a doc sends a link over slack, they express their intent to share this document, hence the preview shared independently from the sharing setup on the doc does not represent a significant risk."<p>I tried responding that many people have Google Drive links exposed even publicly, but they assume that only those with access can view them. But I got the same response pretty much. Am I missing something here, or is this an oversight by Google?
The issue means you cannot broadcast the link to people (for instance, plant it on some project dashboard, or paste it into a Slack channel), and then select who gets access. You cannot revoke 100% of the access from someone to whom you've given the link.<p>The reason you've been given sounds like something frowned upon in HN: a shallow dismissal.<p>Even if we accept their reasoning, there is still something wrong: users don't know about the behavior. There is no "warning: sharing a link to someone gives them a high resolution preview of a page of the document, which doesn't require permissions". It's not what you would assume in a document sharing system that has permissions.
If I am understanding what is happening is that the sender has access to the document and via the Google Drive plugin for Slack they are effectively attaching a preview image when the share the link.<p>So the stance that Google is taking is probably taking is that this is equivalent to the user sharing the link also sharing a screenshot as a preview. (Something that they have permission to do)<p>I do agree that this may be a bit surprising but the sender has "opted-in" to this behaviour when they signed into the Google Drive plugin for Slack. But I don't find Google's perspective completely unreasonable.
What team did you report this issue to? I think this is more about the Slack Google Drive plugin's behavior than Google Docs per se. If someone with permission to view the doc takes a screenshot of the first page of the doc and sends that to you, there's nothing really that Google Docs can do to stop that. That's analagous to what's happening here. The Google Docs Slack integration is what's sharing the preview image.<p>I agree that it's poor behavior and potentially could be part of a critical security compromise. But you'd need to get a hold of the right team. The Google Docs core engineers probably don't care and couldn't fix it anyway.<p>I don't know for sure (and can't check now since I no longer work there), but my impression at a former job that made heavy use of Slack and Google Docs was that in a corporate setting with Google Enterprise or whatever it's called, the Slack integration was far more cautious about showing previews. It even alerted you if you posted a document that not everyone in the channel could view, and gave you the ability to grant them access right then and there. IIRC, previews were hidden if you didn't have access. I don't know if that is a different plugin or just better behavior in a corporate setting.
If I follow correctly yes this is an obvious vulnerability. Someone at Google made the wrong decision to not fix this years ago and keeps doubling down on that decision.<p>If someone does a blog post like “Looking at the first page of 1 billion private Google Docs” they’ll fix it.
This issue have been reported multiple times over the years:<p>- <a href="https://news.ycombinator.com/item?id=37854159">https://news.ycombinator.com/item?id=37854159</a> (October 2023)<p>- <a href="https://news.ycombinator.com/item?id=32770709">https://news.ycombinator.com/item?id=32770709</a> (September 2022)<p>- <a href="https://twitter.com/matbennett/status/1171015871868874757" rel="nofollow">https://twitter.com/matbennett/status/1171015871868874757</a> (September 2019)<p>So you are at least not the first one to get dismissed.<p>EDIT: Jogging the memory in the other threads, this happens when the person posting the link have (a) enabled the Drive integration and (b) have permission to view the document.
I reported to Google that I could harvest firebase JWTs and keep them alive forever in a cloud function by refreshing the access tokens from a cloud function hosted on their own platform. The key issue in my eyes was there was no way to revoke the exfiltrated JWT.<p>They closed the ticket as:
1) You had to compromise the frontend
2) We bought firebase within 120 days, so we won't bug bounty it.<p>Completely ignoring that the authentication could not be rolled. That was the last time I tried to disclose or improve a google product.
I gave some talks about detecting the use of the same JWT across IP ranges, and using that as a litmus to revoke all user access until your application could contact the user.<p>Anyway, that was all to say my personal experience is that Google does not care about solving security issues and will actively suppress them until they reach some level of critical mass.
Surely it is not just anyone that a link is shared with, but anyone with the link?<p>It's link-bearer open access to a partial document (an entire page) an author marks as not having partial access. Circumvention of Google's authentication procedure.<p>Is that understanding correct?<p>If so, Google's seemingly OK with users believing something's secure, that isn't. And that could cause information leakage by Google's design that could lead to fraud and/or other crime.
Somebody could try to snipe those google doc links and scrape the preview results. I bet that people could find passwords and valuable information from it.<p>This looks like a security vulnerability to me. I pay for Google Drive, and I'm starting to distrust Google to maintain the safety of my data properly.
This sounds familiar. I'm pretty sure this problem was brought up on HN years ago, and basically Google said the same thing at the time.<p>And yeah, I think it's ridiculous.
The physical analogy is a cover page, intended to conceal the subsequent contents when stacked on a table.<p>A tooltip change (warning) to the sharing view would be sufficient to address the concerns that the first page is displayed as part of the preview for those with Google Drive integrations enabled.<p>You should change your tl;dr to reflect that one can view a preview of the first page of a shared Google Doc, despite not having access, when provided the sharing link and with Google Drive integrations enabled.
The product manager was not involved in the decision to mark it "won't fix". Or more likely, even if the PM did see your bug report, the PM doesn't understand the issue.
On a user level I agree, on a technical level I disagree.<p>Reason for disagreement is that the preview is generated once with the access rights for the user posting that link (with the permission Slacks Google Docs integration got from the posting user). For performance reason it would be quite costly to generate a preview for every viewing user since access rights could be different for every user. Also access rights can change every time, so it would be necessary to recheck permissions regularly to decide if the preview should be renewed (removed/added/changed). This also would mean users need to wait longer for the preview to generate.<p>So every user posting a link on Slack (or any platform which generates previews with a special integration) should be aware of that fact