Google Docs Has A Big Gaping Security Hole

One of my final projects here as a Peace Corps volunteer in Kenya has been to implement a temporary information sharing platform for volunteers while we wait for a more permanent solution from the angels on high. Due to its speed, stability and bevy of features, we have decided to use the popular collaboration tool Google Docs. I have used it personally, but never on the scale of a Peace Corps program (around 150 users).

This morning, I was reverse engineering the invitation-based security model of Docs with a ICT RPCV friend of mine (whom I thank profusely for his patience), when I noticed a big, gaping, security hole: no matter what email address the invitation is sent to, if there is any Google account active in your browser’s session, then when you click the invitation link, it will link the Docs account to the active Google account, whether you authorize it or not.

This is great if you are clicking the link from a Google account. It just authorizes the account that the email was sent to in the first place. Works like a champ. But what if you use a Yahoo account or non-Google email…

The security concern scenario: A Peace Corps Volunteer (PCV) is sitting in a cyber cafe. The person at the computer before the volunteer forgets to log out of his Google account. The PCV subsequently gets on the computer and checks his Yahoo account, clicking the Google Docs invitation link. That’s all it takes. The owner of the logged-in Google account now has access to the Google Docs.

It’s not a particularly malicious hole. All it takes is for the admin of the Google Docs share to de-authorize the illegitimate Google account, but at the same time, no warning flags would be raised until the illegitimate account attempted to upload a file, which would subsequently be attributed to his Gmail account, and hopefully, catch someone’s eye. In the meantime, the illegitimate account has full access to the share and its information.

A solution to this would be a simple authorization confirmation step, where a dialog is brought up ensuring that, in fact, the user does want to link the currently logged-in Google account to the Docs application. Sadly, I don’t feel like this is really a large issue for Google because how frequently does a situation like this, where we have multiple users running on the same browser session, occur in the West?

N.B. I never ran a check to see if someone else has already discussed this topic, so sorry if this is a repeat.

A Day At The Baraza: First Impressions of Google Baraza

Baraza – n. – A Kiswahili term. An attempt at translation would be, “a meeting,” but usually it connotes a meeting with a specific goal, usually solving a problem or answering questions, led by a village committee or village elders.

I thought I would take some time and share my first impressions with a new Google service specifically targeting Africa: Google Baraza. Last week I was lucky enough to be individually selected amongst a group of handpicked candidates to help pilot this amazing new program.

Actually, that’s a lie. I requested a beta invite, and got one.

But the first version makes me seem so much more important! I’m not important, and in fact, here’s the link so that you might sign up for the service yourself if you so choose.  Mind you, it is heavily Africa-oriented, so join only if you have specific local knowledge about various parts of Africa (with a heavy focus on Ghana, Kenya, South Africa and Nigeria at the moment).

What is it?

Continue reading →

Linux: It’s Everywhere and Nowhere

This entry is the second in a series covering GNU/Linux, an Operating System consisting of the Linux Kernel and applications from the Free and Open Source Software (FOSS) community, with an emphasis on its connections to the developing world.  These articles assume at least a moderate understanding of the Linux and FOSS communities.  For more information regarding these, I would direct interested parties to Linux.org as well as the Free Software Foundation and finally, for the truly interested, the GNU Manifesto. With all of this knowledge now in hand, I hope you enjoy the series. If you have not already done so, I suggest you go ahead and read the first post in the series: Linux: Not Ready for the Big Time.

Linux is Everywhere

In my first post in this series, I expostulated at quite length to the fact that Linux is not ready for the Big Time.  Yet, if one takes a closer look at the true state of Linux, one begins to notice, Linux is everywhere!  How is it not ready for the Big Time?  What even is the Big Time? To me, the Big Time is when it has become a household name, common to every person who is at least a bit familiar with computers, seen as an equal choice to Microsoft Windows and Apple Macintosh when choosing how you, the common user, will operate your computer. Continue reading →

Pages: 1 2 3 4 5