Reporting URLs that give users access to resources

In various Google products, it's possible to give other users access to certain resources. For example, in Blogger, you can invite other users to administer your blog, and in Drive you can share your files. These sorts of features often work by generating a URL with a token and sending that URL to the other user. When the URL is opened, the user gets the appropriate access. 

Sometimes we get notified about cases where the URL has been shared with a Google account (its intended recipient), but the link also works when opened from a different account — giving that other (unintended) user access to whatever was shared.

Is this a vulnerability? It depends. Such reports are always evaluated in the context of the affected application and the resource being shared. Often, the behavior is intended and well documented (for example, YouTube unlisted videos and the Google Drive “Share using a link” feature) — in these cases, “it’s not a bug, it’s a feature.” Sometimes, though, it’s not that clear.

When evaluating the severity of the issue, we take into consideration the following technical factors (at a minimum):

  • Does the URL expire? How long is the “attack window” open?
  • Can the URL be used only once?
  • Is it a https:// URL?
  • What is the token for?
  • Is the token short enough to be brute-forced?

Some nontechnical factors are also considered; for example, when the URL is created, what do we say to the user? Can they reasonably expect that the URL might be shared and forwarded to other users? How is this aspect documented in the product help, support articles, or UI text?

All of these factors help us assess the impact of the issue and determine what a successful attack would require. For example, if the URL expires after use and is sent to the recipient's e-mail address, the attack scenario requires either an account compromise at the time of sharing, or an untrustworthy owner who shares the URL. In such cases, even linking the URL to the intended recipient’s email address wouldn’t help, because the attacker might leverage the compromised account or cooperate with the mischievous user.

If you encounter URLs with tokens that provide access to other users’ resources, please take these factors into consideration and let us know the results of your investigation. We’re looking forward to your report!