June 27, 2014

Google Drive update to protect to shared links

Posted by Kevin Stadmeyer, Technical Program Manager

At Google, ensuring the security of our users is a top priority, and we are constantly assessing how we can make our services even more secure. We recently received a report via our Vulnerability Reward Program of a security issue affecting a small subset of file types in Google Drive and have since made an update to address it.

This issue is only relevant if all of the following apply:
  • The file was uploaded to Google Drive
  • The file was not converted to Docs, Sheets, or Slides (i.e. remained in its original format such as .pdf, .docx, etc.)
  • The owner changed sharing settings so that the document was available to “Anyone with the link”
  • The file contained hyperlinks to third-party HTTPS websites in its content
In this specific instance, if a user clicked on the embedded hyperlink, the administrator of that third-party site could potentially receive header information that may have allowed him or her to see the URL of the original document that linked to his or her site.

Today’s update to Drive takes extra precaution by ensuring that newly shared documents with hyperlinks to third-party HTTPS websites will not inadvertently relay the original document’s URL.

While any documents shared going forward are no longer impacted by this issue, if one of your previously shared documents meets all four of the criteria above, you can generate a new sharing link with the following steps:
  1. Create a copy of the document, via File > "Make a copy..."
  2. Share the copy of the document with particular people or via a new shareable link, via the “Share” button
  3. Delete the original document


  1. Is there a easy query to see all the documents that a shared with a public link?

  2. I received the Google verification code. When I tried to retrieved it, it started to call an intl number to Turkey! I ended the call quikly. Is that something I should be concerned about?

  3. Great to see this loop closed for new documents. However if, like me, you suspect you may have existing documents which match these criteria... how do you find them !!!!

    Can't the back-fix be applied by Google through code?

  4. Does this kind of vulnerability qualify for the bounty?

  5. Google + just confuses me! I've got photo albums that met the criteria above...is it ok just to delete the hyperlink?


You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.