[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Mail]  [Sign-in]  [Setup]  [Help]  [Register] 

CBDC Digital Currencies: A Recipe for Global Slavery

The Counterrevolution Against the Constitution

Conservatives in Congress Pushing to Repeal Military Covid Vaccine Mandate via NDAA

Gov’t Criminally Ignoring Vax-injured Living in Hell on Earth

There’s No Natural ‘Carrying Capacity’ for the Human Population: An Essay Inspired by the Happy News that the Human Population Has Reached Eight Billion

Turkey Expects More Extraditions From Sweden for NATO Membership

As the Pentagon Fails Another Audit, Congress Wants to Spend Even More on "Defense"

Danger Zone: On Religion, America Is Becoming More Like China

World Court Must Rule on Climate Justice: UN "Youth" Delegate

California Reparations Task Force Proposes $223K Per Person for Black Residents

Renowned Cardiologist: mRNA Vaccines May be “Changing the Human Genome”

New York Forces Websites To Monitor 'Hateful' Speech. A New Lawsuit Says This Violates the First Amendment.

Congress inches toward year-end government funding deal

Russian Oil Price Cap, EU Sanctions Come Into Effect

Born on the Tenth of January

Word and Sacrament: The marks of the church

SCOTUS Appears Favorable to Web Developer in Lawsuit Against Colorado Anti-discrimination Law

Semiconductor Manufacturers Don't Need More Subsidies. They Need Less Government.

Supreme Court Debates Whether Web Designers Can Be Forced To Make Gay Wedding Pages

NATO Exists To Solve The Problems Created By NATO's Existence

Life insurance companies sound DEATH ALERT warnings over nearly 100,000 excess deaths per month happening right now in the USA

Iran Says It Won’t Resume Nuclear Deal Talks ‘Under Pressure’

US Army Plans ‘Dramatic’ Increase in Ammunition Production as Ukraine Aid Drains Stockpiles

WSJ: US Secretly Limited Range of Weapons Sent to Ukraine

Imagining a Revived, Twenty-First Century Capitalism

Ukraine war: Fighting will be at 'reduced tempo for months' US intelligence experts say

Nigerian President Says Weapons From Ukraine are Winding Up in Africa

Ukraine Says Oil-Price Cap Won’t Dent Russia’s Ability to Fund War

Russia Rejects EU’s $60 Oil Price Cap

Macron Says Security Guarantees for Russia Needed for Future Peace Deal

Old Testament: Isaiah 7:10-17 (Advent 4: Series A)

Doing His Duty

Raytheon Gets $1.2 Billion Contract to Produce Air Defense System for Ukraine

Gospel: Matthew 1:18-25 (Advent 4: Series A)

NRA Files Lawsuit Against Oregon Gun-control Law

The Woman Who Spearheaded Prohibition's Repeal

How to replace the welfare state

Will Your State Reject the Fed’s Digital Dollar?

Rep. Adam Smith Says Calls for Ukraine Aid Oversight are ‘Russian Propaganda’

Epistle: Romans 1:1-7 (Advent 4: Series A)

Almost No One Noticed the Hate Speech Law That Just Took Effect — or the Lawsuit Against It

After a Crackdown on a Pain Clinic, a Tragic Double Suicide

11th Circuit Says a Judge Should Not Have Interfered With the FBI's Review of the Mar-a-Lago Documents

Police thought his cash was suspicious. So they took it. And won’t give it back.

REAL ID Requirement for Travelers Delayed Until May 2025

Lavrov Says Russia, China Stepping Up Military Cooperation in Response to NATO

A Tribute to the U.S. Marine Corps

Church Fathers on Christmas: St. Augustine

Russia Is the Last Remaining Christian Country

Zelensky’s Long History of Crushing Dissent

Status: Not Logged In; Sign In

See other Computers-Hacking Articles

Title: Google Docs Design Flaw May Fool You Into Making Your Docs Editable by Anyone
Source: Wired
URL Source: http://blog.wired.com/business/2009/01/google-docs-des.html
Published: Jan 22, 2009
Author: Michael Calore
Post Date: 2009-01-22 15:39:01 by A K A Stone
Keywords: None
Views: 898

If you're currently sharing spreadsheets, documents or presentations using Google Docs, go double-check the permissions settings of those shared docs right now.

Wired.com has discovered a design flaw in the web app's user interface that could lead users to mistakenly open up their docs to editing by anybody on the internet.

Funny thing is, we found out about it the hard way.

A co-worker of mine discovered Wednesday morning that the Wired Tech Layoff Tracker, a spreadsheet we're sharing with all of you using Google's free service, had been changed. The name of the reader who had edited the doc wasn't known to my co-worker, and he certainly hadn't knowingly given edit permissions to anyone outside Wired.com.

Thankfully, our hacker was a benevolent fellow who immediately notified us he had been able to edit our shared document. Thanks to him, we were able to correct the exploit before anyone else could fiddle with our spreadsheet.

The problem stems from a confusing bit of interface design in Google Docs.

Check out this screenshot:


This is what you see when you choose to share a spreadsheet within Google Docs. (The red labels are my own). Shown is the Invite People tab, where you can add e-mail addresses of people you want to let view or edit your doc. You can also set permissions as you invite them, by clicking on the To Edit or To View radio buttons. I've labeled it section A.

At the bottom, in section B, are the Privacy settings, with three more radio buttons. The options are clear: You're choosing whether to let people edit or view the document without signing in, something that requires a Google account.

What's not clear is that in this instance, "people" in section B refers not to the people you've specifically invited in section A, but rather everyone on the internet.

Here's the next tab in the Sharing pane, People With Access:


Again, you have a list of permitted users and their preferences in section A, and an Ajax-powered menu in section B that lets you allow "people" to edit or view the doc with or without signing in.

As before, they way section B is worded, it's not clear "people" means everyone on the internet, not the list of people up in section A.

You can probably guess we had set our permissions to "Let people edit without signing in," which is what left us exposed. Why would we choose that setting? We simply wanted to lower the barrier of participation for everyone in the newsroom.

There are a few people working here (I won't name them) who don't trust Google and don't want a Google account, and therefore wouldn't add anything to our Layoff Tracker if we required them to sign in. Since we value their input, we left the option open, thinking we were only applying those privacy settings to our own approved invitees.

Some of you are probably reading this and thinking, "Duh!?" Maybe it's totally clear to you that the options in section A and section B aren't related, but it wasn't to us. Look at how those tabs are laid out and labeled, and it becomes easy to see how other users would make the same mistake we did. Even if it's a low number of users — say 10 percent — that's a big design flaw.

If you're currently sharing anything in Google Docs with the "Let people edit without signing in" option, be aware that your documents are about as secure as public wikis, especially if they're embedded in an HTML page or linked to from a public website. We recommend changing the settings on each shared document to "Always require sign-in." Also, update your notification settings to send you an e-mail whenever a document is edited by anyone.

I spoke with two representatives from the Google Apps team on the phone Wednesday afternoon, and they assured me Google has not heard of any instances where other users are getting tripped up by these privacy settings (That's not to say docs aren't being exposed, it just means nobody's reported untoward activity). The representatives did agree, however, that the interface was poorly worded and merits review, so they passed along our feedback to the rest of the Google Apps team.

Something else they stressed is that there's a big difference between using Google Docs to share your kids' soccer schedule and using it to share corporate data, which is why the company places more tight controls on its app offerings for small businesses. Google Apps Premiere Edition, a commercial cloud-based service ($50 per user per year) gives admins the ability to authorize users within a specific domain space — meaning users in your organization can be given permission to edit docs privately without logging in through a Google account.

The free version of Google Docs has been criticized for being lax around both security and legal issues, but as our little mishap proves, sometimes the weakest security link is the end user.

What do you think about Google Doc's security, especially when it comes to how "foolproof" the app is? What about collaborative, cloud-based services in general?

We'll update this post if Google makes any changes to this part of the app's interface.

Michael Calore">Click for Full Text!

Post Comment   Private Reply   Ignore Thread  

[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Mail]  [Sign-in]  [Setup]  [Help]  [Register] 

Please report web page problems, questions and comments to webmaster@libertysflame.com