Google is downplaying potential privacy issues in Google Docs that were recently brought to light.
In his blog March 26, Security consultant Ade Barkah published information about three privacy issues in Google Docs tied to the system's content sharing controls. The most serious of the issues is not described in detail, although he contends that it could be abused in certain circumstances to allow someone to access a document even after that person's access rights have been taken away.
Barkah has been in touch with Google about his findings, and a spokesperson at the company said the issues he raised are being investigated, though the company does not believe the issues represent a serious threat to users.
Barkah demonstrated that embedded images in documents can still be accessed by people with whom the documents had been shared even if that document is no longer shared, or even after it has been deleted.
"When you embed ('insert') an image from your computer into a Google Document, that image is 'uploaded' onto Google servers and assigned an ID," Barkah wrote. "From then on, the image is accessible via a URL."
In addition, when a document contains a Docs diagram, it is possible for people with whom that document was shared as a collaborator to see the diagram even if it was redacted.
"In Google Docs, a diagram is a set of instructions that's rasterized into an image (in PNG format)," he wrote. "Each time you modify a diagram, a new raster image is created, but the old versions remain accessible via a URL, in the format: docs.google.com/drawings/image?id=1234&...&rev=23&ac=1. To view any previous version, just change the 'rev=' number above."
In fairness to Google, the examples involve documents that have already been shared, which assumes a certain degree of trust.
"We take the security of our users' information very seriously and are investigating the concerns raised by the researcher," a Google spokesperson said. "Based on the information we've received, we do not believe there are significant security issues with Google Docs. We will share more information as soon as it's available."