If you’re currently sharing spreadsheets, documents or presentations using Google Docs, go double-check the permissions settings of those shared docs right now.
Wired.com has discovered a design flaw in the web app’s user interface that could lead users to mistakenly open up their docs to editing by anybody on the internet.
A co-worker of mine discovered Wednesday morning that the Wired Tech Layoff Tracker, a spreadsheet we’re sharing with all of you using Google’s free service, had been changed. The name of the reader who had edited the doc wasn’t known to my co-worker, and he certainly hadn’t knowingly given edit permissions to anyone outside Wired.com.
Thankfully, our hacker was a benevolent fellow who immediately notified us he had been able to edit our shared document. Thanks to him, we were able to correct the exploit before anyone else could fiddle with our spreadsheet.
This is what you see when you choose to share a spreadsheet within Google Docs. (The red labels are my own). Shown is the Invite People tab, where you can add e-mail addresses of people you want to let view or edit your doc. You can also set permissions as you invite them, by clicking on the To Edit or To View radio buttons. I’ve labeled it section A.
At the bottom, in section B, are the Privacy settings, with three more radio buttons. The options are clear: You’re choosing whether to let people edit or view the document without signing in, something that requires a Google account.
What’s not clear is that in this instance, “people” in section B refers not to the people you’ve specifically invited in section A, but rather everyone on the internet.
Again, you have a list of permitted users and their preferences in section A, and an Ajax-powered menu in section B that lets you allow “people” to edit or view the doc with or without signing in.
As before, they way section B is worded, it’s not clear “people” means everyone on the internet, not the list of people up in section A.
You can probably guess we had set our permissions to “Let people edit without signing in,” which is what left us exposed. Why would we choose that setting? We simply wanted to lower the barrier of participation for everyone in the newsroom.
There are a few people working here (I won’t name them) who don’t trust Google and don’t want a Google account, and therefore wouldn’t add anything to our Layoff Tracker if we required them to sign in. Since we value their input, we left the option open, thinking we were only applying those privacy settings to our own approved invitees.
Some of you are probably reading this and thinking, “Duh!?” Maybe it’s totally clear to you that the options in section A and section B aren’t related, but it wasn’t to us. Look at how those tabs are laid out and labeled, and it becomes easy to see how other users would make the same mistake we did. Even if it’s a low number of users — say 10 percent — that’s a big design flaw.
If you’re currently sharing anything in Google Docs with the “Let people edit without signing in” option, be aware that your documents are about as secure as public wikis, especially if they’re embedded in an HTML page or linked to from a public website. We recommend changing the settings on each shared document to “Always require sign-in.” Also, update your notification settings to send you an e-mail whenever a document is edited by anyone.
I spoke with two representatives from the Google Apps team on the phone Wednesday afternoon, and they assured me Google has not heard of any instances where other users are getting tripped up by these privacy settings (That’s not to say docs aren’t being exposed, it just means nobody’s reported untoward activity). The representatives did agree, however, that the interface was poorly worded and merits review, so they passed along our feedback to the rest of the Google Apps team.
Something else they stressed is that there’s a big difference between using Google Docs to share your kids’ soccer schedule and using it to share corporate data, which is why the company places more tight controls on its app offerings for small businesses. Google Apps Premiere Edition, a commercial cloud-based service ($50 per user per year) gives admins the ability to authorize users within a specific domain space — meaning users in your organization can be given permission to edit docs privately without logging in through a Google account.
What do you think about Google Doc’s security, especially when it comes to how “foolproof” the app is? What about collaborative, cloud-based services in general?
We’ll update this post if Google makes any changes to this part of the app’s interface.