Wired.com discovers Google Docs flaw, but that's not the only one
Google Docs get lost in translation
On the Cyberstrategies Web site, Tim Bass tells about a "crossover" in document ownership that happened between himself and a user located in Thailand. Evidently, one of the documents mis-assigned to Bass had been created in the Thai language.
Bass theorized that the flaw he experienced stems from a a JavaScript error in how Google manages user sessions. "There may be an underlying XSS vulnerability as well," he said. "The bottom line is that the security breach is real and dangerous. Your Google Docs, and I suspect other Google applications that use the same session management code, are vulnerable."
Way back in July of 2007, Ralf Scharnetzki found that Google Docs "seems to not delete but only hide documents when the trash is emptied." Also parts of private documents on Google Docs can be accessed without the need to enter an user ID and password, he said.
That's because the documents from Google Docs are HTML files that reference external images. Each image for a document has its own public address, even when the the document is private, according to his way of thinking.
Informally, Betanews today took a test posted on Scharnetzki's Web site that's intended to show whether Google has yet fixed the problem whenever the test is done. The answer was still "no," some 18 months later.
Others have noted that, in the Standard Edition of Google Apps, SSL encryption is absent, even though Google finally gave Gmail users a way to encrypt e-mail connections midway through last year.
"Since Google promotes [Google] Apps as a Web-based alternative to expensive desktop software, many people mistakenly assume that means Google services are, in general, 'pretty much' secure for personal use, too. Apparently, that's only true to a point," observed Sarah Perez on the ReadWriteWeb site.
Google ameliorates some of the these issues, at least, in Google Apps Premier, a business-oriented edition that sells for $50 per user, per year.
As Wired.com's Calore found out after talking with Google's Apps team, the Premier Edition provides administrators with the ability to authorize users within a specified domain space, so that users in an organization can be granted permission to edit documents privately without logging in through a Google account.
Still, however, document security is not always self-explanatory in Google Apps. The business package also gives administrators a feature for forcing SSL sessions on all users. But if this feature isn't turned on by an administrator, the help documentation fails to explain how users can enable SSL by themselves, as Perez pointed out.
"All the documentation says is that 'your users can enable HTTPS when necessary.' What they probably mean is that anyone can type in 'https' when entering in the URL for a Google Apps service in the address bar of their browser," Perez said.
"Since your average Internet user doesn't think about these sorts of things, though, that's probably not the best solution in terms of security."