Google Docs Identity Leak Bug Fixed
February 23, 2010 at 6:27 pm 7 comments
Yesterday I wrote about a bug in Google Docs that lets an arbitrary website find your identity. This morning I woke up to this piece of good news in my Inbox:
The fix is pushed out and live for all users as of the middle of last night. Basically we only show the username of collaborators if they are explicitly listed on the ACL of the spreadsheet. Otherwise we call them “Anonymous user”. This means that an editor of the document had to already know the username in order for that username to be visible to collaborators.
I can confirm that the demo page no longer finds my identity. And the spreadsheet in my last post now looks like this:
The Google Docs help question “Collaborating: Why are some users anonymous?” explains:
If a document is set by the owner to be viewable or editable by everyone, then Google Docs does not show the names of those who choose to view or edit the document. Google Docs displays only the identities of users who are explicitly given permission to view or edit a document (either individually or as part of a group).
You might wonder what happens if the attacker explicitly gives permission to a whole bunch of users (say using scraped email addresses) . There seems to be an extra level of protection now:
Sounds like a happy resolution.
To stay on top of future posts, subscribe to the RSS feed or follow me on Twitter.
Entry filed under: Uncategorized. Tags: Google, Google docs, ubercookies, web security.
7 Comments Add your own
Leave a comment
Trackback this post | Subscribe to the comments via RSS Feed
33 Bits of Entropy 
1.
anonymous | February 23, 2010 at 9:52 pm
I don’t remember seeing this option when sharing documents before ; am I right in guessing that the private mailing list shares were also vulnerable ?
2.
Arvind | February 24, 2010 at 12:42 am
That’s my guess as well.
3. How Google Docs Leaks Your Identity « 33 Bits of Entropy | February 24, 2010 at 5:38 am
[…] Update 2. Now fixed. […]
4.
Alina | May 11, 2010 at 5:10 pm
Unfortunately, it seems like the leak still exists in a slightly different version.
I have noticed that on the docs.google.com page, where one can see the list of her documents, next to the document date column (which is the “last modified” date actually), there appears the user name of the last editor of the doc.
5.
Arvind | May 11, 2010 at 5:18 pm
Alina,
Editing a doc is an explicit, user-initiated interaction, and so that would seem like the intended behavior rather than a bug. The reason that the earlier behavior was a bug was that you could get someone’s identity without them ever knowing.
6.
Alina | May 11, 2010 at 5:43 pm
This is inconsistent with the policy inside the doc itself, where even if you’re editing (and not only viewing), your name would appear to others as “anonymous #” (unless you were explicitly invited to view/edit the doc of course).
7.
Alina | May 11, 2010 at 5:16 pm
Unfortunately, it seems like the leak still exists in a slightly different version.
I have noticed that in the docs.google.com page, where one can see her documents list, next to the document date column (which is the “last modified” date actually), there appears the user name of the last editor of the doc.