I didn't think "Anyone with link..." setting promised any kind of security. Honestly, I don't think this was a 'security hole', more like a digital equivalent of a home owner hiding house keys under the carpet, hoping no one will look.
That's not the issue. Let's say Alice shares a link to a Drive doc with Bob, https://drive/secretlink. If that document has an embedded link to Eve's website, http://some/thirdparty, and Bob clicks the link, then Eve (as the administrator of the third-party site) will see the HTTP Referer as https://drive/secretlink, and she will be able to access Alice's document.
Correct, which violates least surprise and is almost certainly not intended behavior.
However, the meta-point rishabhsagar touches on is that with an authentication-free access model, this is but one of possibly many potential failure modes. The risk surface is undefined size, but probably larger than your IT professionals are comfortable with.
I guess it depends on what you're expecting. I expect Refer headers to be sent when I click a link or load a resource (ssl restrictions withstanding https://tools.ietf.org/html/rfc2616#section-15.1.3).
I think rishabhsagar's metaphor of security through obscurity is indeed the issue. If the secretlink protected only by the difficulty in guessing the URL, and not an additional layer authentication for the person you are sharing it with, then it amounts to hiding something (a key) in plain sight and hoping for the best. Granted, I'm unsure if Google has a mechanism to throttle/block attempts at guessing Drive URLs.
Google doesn't really need to throttle attempts at guessing Drive URLs - they are long enough that it is totally infeasible for anyone to guess them. The guessability of these links is not the weakest link in finding these documents - it's that they can easily be shared around and you don't know who has the link and who doesn't. This may be okay for your usage - it's a tradeoff between usability (it's easy to share such a link with your friends instead of granting each one permission individually) and security (your friends could forward the link to others without you knowing, which they couldn't do if you'd only granted them the permission).
I expect that they have a throttling mechanism, but nevertheless ...
I just checked one of my shared documents. It has a 44 long “random” string, it’s alphanumeric with a few symbols. It looks like a version of base64, but let’s assume that it has only 50 characters to choice, so there are 50^44 = 5.7E74 possible addresses (2.9E79 if we assume base64). (Assuming they are using something like a cryptographically secure pseudorandom number generator.)
There are 7E9 live person, and assume that each one share less than 1000 documents, so there are less than 7E12 used addresses. Only one in 5.7E74 / 7E12 = 4.2E66 address has a document.
For a brute force attack, lets assume that the attacker use each valid ipv4 address 256^4 = 4.3E9 to do 1000000 tries per second, so there are 4.3E15 tries per second.
So the expected time to guess an address is 4.2E66 / 43.E15=9.8E50 seconds, that is 3.1E43 years. (For comparison, the universe is only 1.4E10 years old.)
That's in the ideal "system is performing exactly as intended" case, though.
You're assuming that there isn't, for example, a timing attack on the string comparison function. And it doesn't have to be just their server either. It could be, for example, an intermediate proxy server that leaks timing information.
Yes, I suspect the more probable leaks are dew to malware and mistakes (someone want to post a kittens picture, but he makes a mistake and paste the doc url.)
And your comment is interesting. Are the proxy servers expected to be secure against a timing attack?
(Also, the proxy administrator may be able to see the logs ...)
Regardless of this particular issue, it's ironic that people think their Google docs are private.
Doesn't Google already have the right to parse your documents in Drive to show you ads?
They just recently pledged to stop parsing the paid Google Apps for Business emails to build ad preferences to show on other Google properties like YouTube.
I wonder if they're already scanning documents, and if we'd even know unless they were forced to stop making misleading statements acknowledge it in a court case like in the lawsuit over ad profiling students email in Google Apps for Education.
Not to mention that Schidmt or Nadella could have read your email or seen your company docs this morning and traded stocks based on them and Google/Microsoft are not even legally obliged to inform you that it happened.
Hope they have better controls now so that snooping on your data is not so easy for a Google employee now. But they're under no legal obligation since you sign away your rights when you upload data to their server. No one in that case would have a legitimate case against Google in court.
