Are your files securely stored at Google Drive and Docs?

Google Drive and Docs are popular cloud storage and productivity services that allow users to store and share files online. But are your files securely stored when you use these services?

Introduction

Google Docs and Drive are popular services provided by Google that allow users to securely upload, edit, and view files and directories. Google uses multiple methods to secure user data, including obfuscating URLs to prevent any manipulation of the URL that can make some users access other content that not intended to be accessed by them. Google offers multiple files sharing options, including "Anyone with the link." This option should give users peace of mind that their files will only be accessible to those with the exact link. However, Momen Eldawakhly and I conducted an investigation and discovered that user uploads are publicly exposed.

Background

I'm a Googler! I use Google services extensively, including Google Drive and Docs. A few days ago, I received an email asking for editing access to one of my files. This was strange, as I had not shared the link with anyone. I expected that these links would not be brute-forceable, as Google randomizes them. Since then, I have been curious to know how this happened. I began to investigate to see if Google Drive and Docs are truly taking advantage of their URL randomisation, or if they are only using it to prevent certain attacks, such as brute forcing.

Analysis Phase

Before starting our investigations, we wanted to perform some analysis of the URL schemes that Google uses in their services, especially Drive and Docs. This may help us in our investigations by allowing us to check whether an attacker could gain access to them.

  1. drive.google.com: It's obviously the Google Drive's subdomain.

  2. /file/d/: This one is to specify the type of the content, which is file and it's unique, randomised ID. Note, the /file/d/ will be changed to /drive/folders/ in case of a folder or directory instead of a single file.

  3. 1yxideHESU_LlHty5VXq9JmDBDPCcJ30a: The randomised ID.

  4. view: This section specifies the action, either view or edit.

When it comes to Google Docs, it will not be that different, as Google tries to make one algorithm/scheme for some services.

Dorking Phase

After analysing the URL schemes, we began to dork, as it is the ideal way to exploit something like that. At this point, we expected that Google may be indexing the randomised URLs, which would reduce its functionality, as these URLs should not be available to the internet. We started by using our previous analysis to create the following dorks:

Each one of these dorks gives you huge number of files indexed at Google! Which exposes the whole randomised URLs:

  • site:docs.google.com inurl:/spreadsheets/d/

124,000 results

  • site:drive.google.com inurl:/file/d/

676,000 results

  • site:docs.google.com inurl:/document/d/

1,120,00 results

Then, we wanted to be more specific. So, by going back to our analysis, we realized that the action section, which can either be "view" or "edit", can be specified in our dork. This would allow us to retrieve the whole set of editable docs, for example. We therefore specified the action section in our dork, and the final dork became:

  • site:docs.google.com inurl:/document/d/ inurl:edit

238,000 results

  • site:docs.google.com inurl:/spreadsheets/d/ inurl:edit

58,200 results

Conclusion

The methodology introduced here is just a mindset and critical thinking explanation to help testers and OSINTers develop their own strategies and methodologies. We reached out to Google's security team, suggesting that they stop crawling and indexing user's files, as users expect that their links are only available to the people they share them with. However, they replied that this is an intended behavior. However, this can still be used by both good and malicious actors to gain access and abuse other people's files.

Last updated