A security analyst has found “three glitches” in Google Docs that could expose private data, but Google denied any security risk.
One of the flaws allows images to be accessible even if a document has been deleted or the sharing rights have been revoked, wrote Ade Barkah, the founder of BlueWax, an enterprise application consultancy based in Toronto.
A person would need to have the correct URL for the image to access it, Barkah wrote. The flaw shows that Google Docs does not protect images with its sharing controls, he wrote.
"If you've shared a document containing embedded images with someone, that person will always be able to view those images," he wrote. "If you embed an image into a protected document, you'd expect the image to be protected too. The end result is a potential privacy leak."
The second problem allows users to see all versions of an image that has been modified. For example, if a user wanted to redact part of an image and share it, the user who has access to it could modify the URL of that image to see previous versions.
Barkah wrote that items such as diagrams are rasterised into a .PNG image. When the diagram is modified, Google Docs creates a new rasterised image but preserves old versions with a unique URL. By changing a numeral in the URL, the old diagram can be seen.