back to article Mysterious ‘security update’ to Google Drive cloud storage locker will break links to some files

Google has advised administrators of its Workspace productivity suite that it’s set to improve security of its Drive cloud storage locker, but that the fix will break links to some files. The ad giant’s advisory to Workspace admins doesn’t mention the reason for the update, other than saying it’s an enhancement. The little …

  1. ShadowSystems

    Google fail.

    You refuse to tell what the "security" patch does, we refuse to apply it. You tell us it's for our own good, we tell you to cough up the details or go bugger yourself with a rusty salty metal spikey sea urchin.

    1. FILE_ID.DIZ Bronze badge
      Boffin

      Re: Google fail.

      Maybe disclosing now will provide enough hints to the problem for the baddies to exploit early, putting into jeopardy their extended go live date of 13SEP.

      While I don't buy google tech, I'm surprised that they couldn't provide a report of the impacted files and users "who haven't accessed the link yet". I mean, they know what's going to be changed, amirite?

      And hey, to each their own with not applying the (or really any) patch for an internet-facing application/service. I mean, putting stuff up on the internet - sorry, "cloud" - with a flaw that might allow world+dog to see is a bold move. Many before you have had data leak out of poorly secured storage and many after you will too, but I suspect most try to avoid doing so.

      1. Wlerin

        Re: Google fail.

        The change is for public links (anyone with link access). Their AI has not advanced enough to predict every last individual who will ever click the link at some point in the future. Also that's not who they mean by "users", but the actual owners of the files (who will always be able to access them).

        All it does is add an additional resourcekey parameter in the query string, similar to what other file sharing services already do with separate resource IDs and keys.

        Anyone who's paid attention to Google Drive should be able to guess why they're doing this. The string of letters and numbers that identifies any given file or folder is canonical, i.e. it doesn't change when you move the file or folder around. Any method that allowed hackers to get a list of such canonical IDs would be enough to give them access to any files shared using Anyone-With-Link. If the algorithm that generates the IDs is known it may also be possible to brute force file or folder (especially team drive) strings in much less time than you'd expect given the length of the string.

        None of this applies to files that haven't been shared using anyone-with-link sharing. You'll still only be able to access them if you're given permission (either individually or organizational).

  2. Kispin
    WTF?

    Epic Dodgey

    The biggest problem is that the notification email about this looks almost exactly like a Phishing email! Complete with link to 'Go to the Alert Center'

    There was no WAY I was going to click that link......

    1. John Robson Silver badge

      Re: Epic Dodgey

      Took me a long while to click it...

    2. Anonymous Coward
      Anonymous Coward

      Re: Epic Dodgey

      With news out that Google is sending such messages, I would fully expect an opportunist to fake such a message as a scam, knowing that more people than usual would click the button.

      At least the real message could just say "log into your control panel to read your message",

      and provide no button. Providing a button is just feeding the bears (not a perfect analogy).

    3. Pirate Dave Silver badge
      Pirate

      Re: Epic Dodgey

      Yep, and it takes a while to find the "Alert Center" if you don't know where it is and don't trust clicking that button.

  3. Christo
    Happy

    Time Traveling Update

    "Google says the update will be rolled out by September 13th, 2001 — 81 days downstream from its notification to admins."

    Good to see that the update was already applied in 2001... :-p

    1. Anonymous Coward
      Anonymous Coward

      Re: Time Traveling Update

      They chose a date when everybody would be distracted by world events, hoping nobody would notice...

  4. Dinanziame Silver badge
    Paris Hilton

    I completely fail to see why this would be necessary... I hope at some point we'll get a proper explanation.

    I mean, I don't think they'd bother all their users for shits'n'giggles, and this looks like it will be a major pain in the ads*, even though I don't see any way this could be useful to anybody?

    *Leaving autocorrect suggestion, it's appropriate

  5. Anonymous Coward
    Anonymous Coward

    I got an e-mail from Google Workspace telling me I had an "alert" to review in a very phishing sounding tone. I was almost convinced that it phishing was until I went to log into the console on a different device and this "alert" was telling me about this. Not very impressed at the notification e-mail at all, and the lack of transparency about the problem.

  6. Zarno Bronze badge

    A bit opaque on the delivery email.

    I got the email for my secondary site warning about this, and all it had was the following:

    ---

    Dear Google Workspace Administrator,

    You have an important notification from Google Operations that requires your attention.

    Sincerely,

    The Google Operations Team

    <footer snipped>

    ---

    With a big button to "go to alert center" that had a 200+ character URL.

    Needless to say, seemed sketchy as all getout.

    I didn't click the button, but did check for alerts after separately logging into the control panel.

    The actual change doesn't affect me much, thankfully...

  7. T. F. M. Reader Silver badge

    Impressions

    I also hesitated to click on the button. When I did, I tried to figure out what the change meant. It wasn't relevant to me at all - my only use case is when I get a link to a doc to look at.

    My impression was that the whole change was in the default sharing permissions: now when a user shares a file by default it is only shared withing her organization, and if the target audience includes "outsiders" that must be allowed explicitly. If the implementation involves mangling URLs somehow then it seems consistent with some links breaking, but only for users who have not yet looked at the shared docs, etc.

    But I may be completely wrong, and as I only use it "passively" I don't even really know what the current situation is. The above is just an attempt at parsing the announcement "imaginatively".

  8. Anonymous Coward
    Anonymous Coward

    Update is especially effective on the WD "My Book" live ..... /s

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021