![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jducoeurI just got an email that is clearly from some random spammer, asking for permission to share my spreadsheet "Wedding Stuff". This is the spreadsheet Kate drew up, that outlines the Wedding App that I have to have ready in Querki by April. (Yes, our wedding invitations have a spec. This simply demonstrates that we are well-suited to each other.)
That's not the disturbing part -- I expect random spammers to request random stuff all the time. What's disturbing is that it was even *possible* for him to request this. I mean, this is a private document in Google Docs, shared with nobody except Kate. Nobody else should even be able to see its existence, much less request access to it. So in principle, this email shouldn't have even been possible.
For now, I'm going to be optimistic, and guess that the spammer is simply plugging random numbers into an API -- not targeting any particular documents, just scatter-shotting requests in the hopes that some people will be dumb enough to grant access to something with personally identifying information. (Which, sadly, will probably work.) That wouldn't be *too* big a security hole. (Certainly not as bad as the possibility that Google is actually leaking the structure of my document tree.) But even that is somewhat sadly careless: as this particular phishing scam demonstrates, this approach does make it too easy for the bad guys to do something nasty.
The moral of the story is a basic security principle (which I should remember myself for Querki): simply knowing an object ID shouldn't allow you to do *anything* unless that object is fully public...
That's not the disturbing part -- I expect random spammers to request random stuff all the time. What's disturbing is that it was even *possible* for him to request this. I mean, this is a private document in Google Docs, shared with nobody except Kate. Nobody else should even be able to see its existence, much less request access to it. So in principle, this email shouldn't have even been possible.
For now, I'm going to be optimistic, and guess that the spammer is simply plugging random numbers into an API -- not targeting any particular documents, just scatter-shotting requests in the hopes that some people will be dumb enough to grant access to something with personally identifying information. (Which, sadly, will probably work.) That wouldn't be *too* big a security hole. (Certainly not as bad as the possibility that Google is actually leaking the structure of my document tree.) But even that is somewhat sadly careless: as this particular phishing scam demonstrates, this approach does make it too easy for the bad guys to do something nasty.
The moral of the story is a basic security principle (which I should remember myself for Querki): simply knowing an object ID shouldn't allow you to do *anything* unless that object is fully public...
(no subject)
Date: 2012-12-07 05:45 pm (UTC)But otherwise, that's the leakage I mean. This was a highly private document that AFAIK is accessible only to me and Kate. The *existence* of the document should be private. So any answer other than "brute force" means that there is an information leak.
(Even in the brute force case, there is a slight leakage: it looks like Google has admitted that this randomly-guessed number is the ID of a valid document. Minor, but still enough for me to notice...)
(no subject)
Date: 2012-12-07 05:54 pm (UTC)My money for likeliest avenue of the link escaping would be on attack of your or Kate's browser that stole recent history.