Google plays down security concerns over Docs

It says the issues raised by a security analyst aren't 'significant'

Google Docs users shouldn't lose sleep over the security concerns a security analyst has raised about the hosted suite of office productivity applications, Google said late Friday.

In an official blog posting, Jonathan Rochelle, Google Docs' product manager, details why the company has determined that the issues included in the analyst's report are far from critical.

Google's conclusions aren't a surprise. Hours after Ade Barkah published his report on Thursday, Google responded with a preliminary statement saying it was investigating the matter but that it didn't believe there were significant security issues with Docs.

Nonetheless, Google evidently sees some merit in Barkah's report. Google has added information regarding Barkah's observations to its Docs "help" pages about creating drawings and about adding viewers and collaborators to documents.

In addition, Google may make changes to Docs as a result of Barkah's report.

"We are also exploring alternative design options that might further address the concerns. We'd like to thank the researcher for sharing his concerns with us," Rochelle wrote.

Asked for comment about Rochelle's blog post, Barkah indicated that he's not done with his security analysis of Google Docs. "At this time, new details and test scenarios are still emerging.

I appreciate the excellent feedback I'm receiving from Google Security. I am continuing to share my most recent findings with them, and will be able to comment further once our analysis is complete," he said via e-mail.

Google Docs is a free, standalone product, as well as a component in the broader collaboration and communication suite Google Apps, which comes in free and fee-based versions and is designed for workplace use.

Barkah, founder of BlueWax, an enterprise application consultancy based in Toronto, highlighted what he considered three flaws in the way files are shared in Docs, which lets people invite others to view and edit their word processing documents, spreadsheets and presentations.

First, Barkah noted that images inserted into a document are assigned their own URL, so that someone who has been given access to the document can continue to call up the image even if the document is deleted or if the document owner removes their access rights.

"If you embed an image into a protected document, you'd expect the image to be protected too. The end result is a potential privacy leak," Barkah wrote.

Rochelle countered that images are kept independently of the documents in which they appear for fear that deleting them would break references to them in other documents and external blogs.

"In addition, image URLs are known only to users who have at some point had access to the document the image is embedded in, and could therefore have saved the image anyway -- which is fully expected," Rochelle wrote.

Ultimately, document owners can request that images be purged from their account by sending an e-mail to Google's support team at

The second observation Barkah made concerned the ability of someone with whom a document is shared to view all versions of any diagram contained in it by modifying the image's URL.

In his response, Rochelle points out that allowing collaborators to view a document's revision history is a Docs feature, and that the only people who could see past revisions of a drawing are those who have been given access to the document.

"We may consider explicitly preventing viewers from accessing drawing revisions," Rochelle wrote. "For now, if document owners decide they don't want viewers to have access to their revisions, they can simply make a new copy of the document -- from the File menu -- and share that new version. The revision history of both the document and all embedded drawings is removed in copies of documents."

Barkah didn't detail his final concern in his report to give Google time to troubleshoot it, but said that it allowed, in some cases, contributors whose access to a document has been removed to get back into it without the owner's knowledge and permission.

Rochelle explained that the scenario involves the use of a Docs feature that allows invitations to access documents to be forwarded to more than one person. Google added this feature in response to requests from users who wanted to forward invitations and share documents with e-mail lists.

"Invitations sent using this feature contain a special key on the document link. This feature can be disabled at any time to expire previously distributed invitations which contain that special key. To do this, simply disable this feature by unchecking it -- in documents and presentations, it's called 'invitations may be used by anyone' and in spreadsheets it's 'editors can share this item,'" Rochelle wrote.

Privacy and security controls in Google's hosted applications have been in the news recently.

Last week, the Electronic Privacy Information Center filed a complaint asking the U.S. Federal Trade Commission to stop Google from offering hosted services that collect data until privacy controls can be verified.

Earlier this month, Google acknowledged that a glitch in Docs caused some documents to be exposed to users without proper permission.

The problem occurred among users who had previously shared documents. The company said it affected fewer than 0.5 percent of documents.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacyGoogleGoogle Docs

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juan Carlos Perez

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?