Has this Google Docs bug exposed your private documents to attackers?

There are was a bug in Google Docs in which independent security researcher Sreeram KL first detected the Google Docs bug exposed fix issues. Recently, Google patched the bug which it didn’t, would’ve allowed threat actors to access user’s private Google Docs.

The problem appeared in Google Doc’s Send Feedback system and other Google products that had this system integrated.

What was the Google Docs bug

The bug was reported back on July 9 by Sreeram. Google took some time in releasing the fix. The time bug stayed until the fix, may have allowed attackers to compromise any user’s privacy.

According to Sreeram, Google uses the Send Feedback system throughout its many products. The system had a screen capture tool, which was activated when a user decides to send feedback.

The Send Feedback system’s problem is that the distribution would allow a threat actor to understand the RGB values on the screen. To get a clear picture of the document, they would decode the values.

Reason for the Bug to Occur

Google wasn’t using any independent system for feedback collection. They would redirect all the information to a common URL, regardless of getting the feedback.

Because of that, an attacker could modify the iFrame code on the page to forward the information to websites other than Google.

Final Thoughts

Google has finally released the fix for the patch. Before the patch’s release, attackers could have targeted customers by placing an iFrame of a Google Docs document on their website.

If a user clicks on the send button, the attacker could have seen the private document’s screenshot. As thousands of users use Google Docs worldwide, it’s scary to have such issues occur on the platform.

About The Author