Google has confirmed that it has finally patched a glitch in Google Docs which had allowed hackers to read your documents. The flaw was discovered back in July 9, 2020 by a security researcher, known only as Sreeram KL, who was awarded $3,133.70 as part of Google’s bug bounty program. Google offers between $500 and $31,337 for the most severe attacks identified by researchers, so based on the monetary value assigned by the team at Google, this clearly wasn’t the most concerning glitch – it could still be pretty problematic.
The bug was discovered in the Send Feedback and Help Docs Improve features, which allow users to submit screenshots and notes about the online app to help the engineers at Google fix any issues, or implement new functionality that users have suggested. When users agree to send a screenshot with their complaint, the image isn’t taken by Google Docs, but rather, by Google.com.
This saves Google the hassle of duplicating its screenshot function across a dizzying number of its online apps, including Docs, Slides, YouTube, Maps and more.
Instead, the screenshot feature was built to handle requests from all of these various Google apps. However, a flaw in the system meant that hackers could capture screenshots from Google Docs sent by users without their knowledge. This was possible due to a weakness in the URL structure being employed by Google, which made it possible to anticipate the incoming screenshots.
So, hackers could siphon off screenshots of issues within these documents. Given that millions of people rely on Google Docs for education, work, and personal notes – this was a serious issue.
Thankfully, since the hack required users to have hit the Send Feedback button within their document, there wasn’t any way to target individual users. Instead, hackers would need to capture everything coming through the system, or trick specific users into clicking on a rogue website set-up to trick them into hitting the Send Feedback button. Although this was possible, the researcher states, it seems unlikely to have happened in the wild.
Nevertheless, it’s a timely reminder about the importance of keeping sensitive information – like passport numbers, passwords for online logins, banking details, answers to security questions to restore accounts – locked away. That usually means either a hard copy in a desk drawer at home (sometimes the old ways are still the best) or using a password manager with tough encryption.
Hugely-popular apps like 1Password and LastPass offer users the ability to generate and store unique passwords for every online account as well as lock away documents in their online vault. With any luck security researchers, like Sreeram KL who uncovered the Send Feedback glitch, and the teams at Google and other technology giants will keep everything secure, but it’s always safer to follow best practices individually too.