I didn't think "Anyone with link..." setting promised any kind of security. Honestly, I don't think this was a 'security hole', more like a digital equivalent of a home owner hiding house keys under the carpet, hoping no one will look.
HTTP referers are evil. I've been using RefControl[0] to block 3rd party referers for years now.<p>[0] <a href="http://www.stardrifter.org/refcontrol/" rel="nofollow">http://www.stardrifter.org/refcontrol/</a><p>The web wasn't built with privacy in mind. 3rd party cookies and HTTP Referers are just the low hanging fruit.
I'm glad Google fixed this, but if something is important you really shouldn't be securing it merely by giving it an obscure URL.<p>Google Drive makes it very easy to say "only these named people" should have access, or "only people who have the link AND a google account for your company"
Google is correct to say this is a relatively obscure issue, and a relatively small increment in loss of security. Who would consider sharing a Drive link to be "secure" by any definition of the word? It can leak all over the place by numerous means. For starters, and email recipient of the link might be using an unencrypted connection for downloading the link over wifi.
That's a very poorly worded security setting. If you're building a service where people can share something set as "Anyone with link...", you really ought to make it very clear that means it's open for anyone to download. The setting should really be named 'Remove privacy settings - allow anyone to download'. 'with link' implies some level of security that just isn't there. Even if Google proxy links within the document, there's <i>always</i> the possibility that someone could accidentally send a link to the file to someone, or that someone could shoulder surf it, or even guess it is if it's simple enough.
> "The security hole, which has now been patched by Google"<p>This has only been fixed for <i>new</i> links. All existing links are still vulnerable.<p>From Google's Blog:<p>>"Today’s update to Drive takes extra precaution by ensuring that <i>newly shared</i> documents with hyperlinks to third-party HTTPS websites will not inadvertently relay the original document’s URL."
Maybe I'm misunderstanding, but if the document in Google Drive is served over HTTPS, then the referrer when a user visits a linked site should only show the hostname (ie drive.google.com) not the full URL, right?
How does the fix work? Does it prevent the browser from sending the referrer URL? Or maybe load all documents from the same URL with the document ID in a POST request instead or GET?
How is this different than DropBox? Maybe dropbox is more obscure and google more open, hence finding this vulnerability is actually a good thing. Just thinking aloud.
Anyone with the link could also share the link publicly. I think if your document contains sensitive information you should be restricting the access anyway.
This is news? Come on! You give anyone a link to your data and you expect security! Hello! If I gave folk a key to my house I doubt I'll have any my A/V equipment or computers when I come back after a long weekend. Why should I expect my data to be any safer!?
<a href="https://www.facebook.com/notes/facebook-engineering/protecting-privacy-with-referrers/392382738919" rel="nofollow">https://www.facebook.com/notes/facebook-engineering/protecti...</a><p>Facebook Engineering's entry on various methods of hiding referrers. This was 4 years ago, so some of these techniques might not still work.