Google fail.
You refuse to tell what the "security" patch does, we refuse to apply it. You tell us it's for our own good, we tell you to cough up the details or go bugger yourself with a rusty salty metal spikey sea urchin.
Google has advised administrators of its Workspace productivity suite that it’s set to improve security of its Drive cloud storage locker, but that the fix will break links to some files. The ad giant’s advisory to Workspace admins doesn’t mention the reason for the update, other than saying it’s an enhancement. The little …
Maybe disclosing now will provide enough hints to the problem for the baddies to exploit early, putting into jeopardy their extended go live date of 13SEP.
While I don't buy google tech, I'm surprised that they couldn't provide a report of the impacted files and users "who haven't accessed the link yet". I mean, they know what's going to be changed, amirite?
And hey, to each their own with not applying the (or really any) patch for an internet-facing application/service. I mean, putting stuff up on the internet - sorry, "cloud" - with a flaw that might allow world+dog to see is a bold move. Many before you have had data leak out of poorly secured storage and many after you will too, but I suspect most try to avoid doing so.
The change is for public links (anyone with link access). Their AI has not advanced enough to predict every last individual who will ever click the link at some point in the future. Also that's not who they mean by "users", but the actual owners of the files (who will always be able to access them).
All it does is add an additional resourcekey parameter in the query string, similar to what other file sharing services already do with separate resource IDs and keys.
Anyone who's paid attention to Google Drive should be able to guess why they're doing this. The string of letters and numbers that identifies any given file or folder is canonical, i.e. it doesn't change when you move the file or folder around. Any method that allowed hackers to get a list of such canonical IDs would be enough to give them access to any files shared using Anyone-With-Link. If the algorithm that generates the IDs is known it may also be possible to brute force file or folder (especially team drive) strings in much less time than you'd expect given the length of the string.
None of this applies to files that haven't been shared using anyone-with-link sharing. You'll still only be able to access them if you're given permission (either individually or organizational).
With news out that Google is sending such messages, I would fully expect an opportunist to fake such a message as a scam, knowing that more people than usual would click the button.
At least the real message could just say "log into your control panel to read your message",
and provide no button. Providing a button is just feeding the bears (not a perfect analogy).
I completely fail to see why this would be necessary... I hope at some point we'll get a proper explanation.
I mean, I don't think they'd bother all their users for shits'n'giggles, and this looks like it will be a major pain in the ads*, even though I don't see any way this could be useful to anybody?
*Leaving autocorrect suggestion, it's appropriate
I got an e-mail from Google Workspace telling me I had an "alert" to review in a very phishing sounding tone. I was almost convinced that it phishing was until I went to log into the console on a different device and this "alert" was telling me about this. Not very impressed at the notification e-mail at all, and the lack of transparency about the problem.
I got the email for my secondary site warning about this, and all it had was the following:
---
Dear Google Workspace Administrator,
You have an important notification from Google Operations that requires your attention.
Sincerely,
The Google Operations Team
<footer snipped>
---
With a big button to "go to alert center" that had a 200+ character URL.
Needless to say, seemed sketchy as all getout.
I didn't click the button, but did check for alerts after separately logging into the control panel.
The actual change doesn't affect me much, thankfully...
I also hesitated to click on the button. When I did, I tried to figure out what the change meant. It wasn't relevant to me at all - my only use case is when I get a link to a doc to look at.
My impression was that the whole change was in the default sharing permissions: now when a user shares a file by default it is only shared withing her organization, and if the target audience includes "outsiders" that must be allowed explicitly. If the implementation involves mangling URLs somehow then it seems consistent with some links breaking, but only for users who have not yet looked at the shared docs, etc.
But I may be completely wrong, and as I only use it "passively" I don't even really know what the current situation is. The above is just an attempt at parsing the announcement "imaginatively".