Don't freak out over Google Drive security (yet)

Following a solid response to a Google Drive security issue, Google must now apply the lessons learned across the board

If word about a recently discovered security hole in Google Drive has you on edge, take a deep breath. Not only is it nowhere nearly as bad as it might seem, but Google's handling of the matter is further evidence that the company has a good nose for how to deal with such exploits. But here's also hoping Google applies the lessons from this discovery to all its services.

First, the hole itself: Late last month, Google reported it had been informed about a subtle security hole in Google Drive where clicking hyperlinks within a document sent referer data to a website, meaning the owners of the site could see the document's URL. That narrows the scope of the impact a great deal, since such information isn't casually available to an attacker in a drive-by fashion.

Jerome Segura, senior security researcher for Malwarebytes, noted that while Google fixed the problem promptly, there remained the issue of "security through obscurity." In Segura's words: "[Access to private links for Google Drive documents] exists to anyone who has or guesses the link. Much better protection would be to send a link that requires user authentication on top of being a private link."

The hole was declared patched as of the release of the announcement, although it isn't clear from Google's notice how much time had elapsed between the company being notified about the problem and fixing it. Google's guidelines for responsible disclosure hint at it having been no more than 60 days, and Google claims the issue had been reported responsibly through its existing Vulnerability Reward Program, which pays out cash bounties to those who find security holes in Google's products.

InfoWorld's Roger Grimes, despite his own misgivings about the effectiveness of bug bounties, has noted that rewards increase the number of above-board bug submissions. "The biggest problem with bug bounty programs is that you never know which security bugs will 'go big'," he wrote. "Very few security bugs, no matter how severe, end up exploiting millions and millions of customers." Likewise, the Google Drive issue doesn't fit into that category.

At the same time, the obscurity of the bug might amount to a lesson not learned. "The bigger question is," Grimes wrote in an email, "if Google, as a huge cloud provider, took the lesson learned and applied it to all its other services that could have similar vulnerabilities?" His worry is that a potential attacker might try to determine if Google's other services have a similar vulnerability and try to exploit it aggressively.

With all the talk about the security hole of the day in the cloud service of the week, it's easy to forget that not everything rates the same level of attention or alarm. But it's also easy to forget that a minor security problem might not always remain that way.

This story, "Don't freak out over Google Drive security (yet)," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.