Google Informs Docs Users Of Security Lapse

Posted on March 17th, 2009 by Tim Bass

This is a quick followup note to my post A New Security Breach in Google Docs Revealed. Information Week has reported that Google Informs Docs Users Of Security Lapse which include this quote:

The last such Google Docs security lapse was reported in September, when Tim Bass, posting to the (ISC)² blog, disclosed a caching flaw that led to inadvertent document sharing in certain circumstances.

Information Week quotes Google as saying, the inadvertent sharing was limited to people with whom the document owner, or a collaborator with sharing rights, had previously shared a document.”

For the record, the Google Docs bug that I posted about was not limited to people with sharing rights or a previously shared document.  I know this for a fact because the documents (belonging to others) that were found in my account were from someone I never had any association.

We are confident that the security breach was caused by an over aggressive proxy server by an ISP (in Thailand) and a configuration / coding error in how Google manages Google Docs sessions. Session management can be very challenging across the web. When you combine the complexities of session management with an aggressive proxy cache, it is easy to see that this is a major Internet vulnerability.

See also by earlier post on this topic:  Comments on Proxy Caches and Web Application Security

Share and Enjoy:
  • Digg
  • StumbleUpon
  • del.icio.us
  • Technorati
  • Facebook
  • Mixx
  • Google
  • Slashdot
  • Furl
  • Reddit
  • Spurl
  • LinkedIn

Filed under: Complex Event Processing, Cybersecurity, Cyberstrategics

« CEP: A Technology Behind The Power Curve A Review of Zabbix - Zabbix Rules! (Part 1) »

Leave a Reply

Copyright © 2007-2008, The CEP Blog, All Rights Reserved.