One of my final projects here as a Peace Corps volunteer in Kenya has been to implement a temporary information sharing platform for volunteers while we wait for a more permanent solution from the angels on high. Due to its speed, stability and bevy of features, we have decided to use the popular collaboration tool Google Docs. I have used it personally, but never on the scale of a Peace Corps program (around 150 users).
This morning, I was reverse engineering the invitation-based security model of Docs with a ICT RPCV friend of mine (whom I thank profusely for his patience), when I noticed a big, gaping, security hole: no matter what email address the invitation is sent to, if there is any Google account active in your browser’s session, then when you click the invitation link, it will link the Docs account to the active Google account, whether you authorize it or not.
This is great if you are clicking the link from a Google account. It just authorizes the account that the email was sent to in the first place. Works like a champ. But what if you use a Yahoo account or non-Google email…
The security concern scenario: A Peace Corps Volunteer (PCV) is sitting in a cyber cafe. The person at the computer before the volunteer forgets to log out of his Google account. The PCV subsequently gets on the computer and checks his Yahoo account, clicking the Google Docs invitation link. That’s all it takes. The owner of the logged-in Google account now has access to the Google Docs.
It’s not a particularly malicious hole. All it takes is for the admin of the Google Docs share to de-authorize the illegitimate Google account, but at the same time, no warning flags would be raised until the illegitimate account attempted to upload a file, which would subsequently be attributed to his Gmail account, and hopefully, catch someone’s eye. In the meantime, the illegitimate account has full access to the share and its information.
A solution to this would be a simple authorization confirmation step, where a dialog is brought up ensuring that, in fact, the user does want to link the currently logged-in Google account to the Docs application. Sadly, I don’t feel like this is really a large issue for Google because how frequently does a situation like this, where we have multiple users running on the same browser session, occur in the West?
N.B. I never ran a check to see if someone else has already discussed this topic, so sorry if this is a repeat.