Google plays down Docs security fears

Issues raised by a security analyst aren't 'significant,' says search and services giant.


Google Docs users shouldn't lose sleep over the security concerns a security analyst has raised about the hosted suite of office productivity applications, Google said late Friday.

In an official blog posting, Jonathan Rochelle, Google Docs' product manager, details why the company has determined that the issues included in the analyst's report are far from critical.

Google's conclusions aren't a surprise. Hours after Ade Barkah published his report on Thursday, Google responded with a preliminary statement saying it was investigating the matter but that it didn't believe there were significant security issues with Docs.

Nonetheless, Google evidently sees some merit in Barkah's report. Google has added information regarding Barkah's observations to its Docs "help" pages about creating drawings and about adding viewers and collaborators to documents.

In addition, Google may make changes to Docs as a result of Barkah's report. "We are also exploring alternative design options that might further address the concerns. We'd like to thank the researcher for sharing his concerns with us," Rochelle wrote.

Asked for comment about Rochelle's blog post, Barkah indicated that he's not done with his security analysis of Google Docs. "At this time, new details and test scenarios are still emerging. I appreciate the excellent feedback I'm receiving from Google Security. I am continuing to share my most recent findings with them, and will be able to comment further once our analysis is complete," he said via email.

Google Docs is a free, standalone product, as well as a component in the broader collaboration and communication suite Google Apps, which comes in free and fee-based versions and is designed for workplace use.

Barkah, founder of BlueWax, an enterprise application consultancy based in Toronto, highlighted what he considered three flaws in the way files are shared in Docs, which lets people invite others to view and edit their word processing documents, spreadsheets and presentations.

First, Barkah noted that images inserted into a document are assigned their own URL, so that someone who has been given access to the document can continue to call up the image even if the document is deleted or if the document owner removes their access rights.

"If you embed an image into a protected document, you'd expect the image to be protected too. The end result is a potential privacy leak," Barkah wrote.

Follow highlights from ComputerworldUK on Twitter

"Recommended For You"

Office 2010 head into cloud Google adds presentations app to hosted suite