2

I have been digging into Google Drive while I am trying to investigate a proper way to protect files on a site. In my experience if a user has the URL to a file they can access it without any protection, like Facebook images for example.

However, Google Drive has a different method. For example an image has the path src='blob:https://drive.google.com/cbdb6dfeSOMEBINGHASH----a3c121353655.

So how is Google Drive protecting these files? And if I could guess the URL to a file, would I be able to access it?

aresne lupin
  • 121
  • 4
  • 1
    If you could, that would be what we call an insecure direct object reference vulnerability. See the OWASP Top 10 for more. – Xander Jul 29 '15 at 21:36

2 Answers2

2

The answer to the main question is NO. Each individual file has its own permissions.

Choose an appropriate sharing setting — Private, Anyone with the link, or Public — for your files, folders and Google documents.

Source: Google

Google generates an ID based on the sharing permissions and just authorized sessions (to the Google IaaS) are able to retrieve the file.

Downloading the file requires the user to have at least read access.

Source: Google

1

By default, every document you upload onto Google Drive is marked as owned by me only, which thing only you has access (read & write) to it. This was not the case in the past where the default setting was public.

This is said, you can always choose the sharing settings you want. If you can share the document (to view and/or edit) by sending its link to someone you want: in which case only that file will be available to him/her and nothing else in your Google Drive.

You can set a given documents to public too (in case you are a teacher and want to share a huge file with your students, for example)

  • Hmm, the thing is every file must exist on the file system and must have an absolute path. I guess the question, is that true in drive? Can one deduce the absolute path of a file, or everything is processed based on the ID in the URL. – aresne lupin Jul 29 '15 at 16:22
  • You will never know the absolute physical path because you do the file administration via a web interface and also because Google has your file in their cloud anyway... –  Jul 29 '15 at 16:24
  • @aresnelupin Files may be on google's server filesystem or not (for example in database), but even in the first case it doesn't mean the server must give up any file to any user who typed the path correctly. – Cthulhu Jul 29 '15 at 16:25