I just got an email that is clearly from some random spammer, asking for permission to share my spreadsheet "Wedding Stuff". This is the spreadsheet Kate drew up, that outlines the Wedding App that I have to have ready in Querki by April. (Yes, our wedding invitations have a spec. This simply demonstrates that we are well-suited to each other.)
That's not the disturbing part -- I expect random spammers to request random stuff all the time. What's disturbing is that it was even *possible* for him to request this. I mean, this is a private document in Google Docs, shared with nobody except Kate. Nobody else should even be able to see its existence, much less request access to it. So in principle, this email shouldn't have even been possible.
For now, I'm going to be optimistic, and guess that the spammer is simply plugging random numbers into an API -- not targeting any particular documents, just scatter-shotting requests in the hopes that some people will be dumb enough to grant access to something with personally identifying information. (Which, sadly, will probably work.) That wouldn't be *too* big a security hole. (Certainly not as bad as the possibility that Google is actually leaking the structure of my document tree.) But even that is somewhat sadly careless: as this particular phishing scam demonstrates, this approach does make it too easy for the bad guys to do something nasty.
The moral of the story is a basic security principle (which I should remember myself for Querki): simply knowing an object ID shouldn't allow you to do *anything* unless that object is fully public...
That's not the disturbing part -- I expect random spammers to request random stuff all the time. What's disturbing is that it was even *possible* for him to request this. I mean, this is a private document in Google Docs, shared with nobody except Kate. Nobody else should even be able to see its existence, much less request access to it. So in principle, this email shouldn't have even been possible.
For now, I'm going to be optimistic, and guess that the spammer is simply plugging random numbers into an API -- not targeting any particular documents, just scatter-shotting requests in the hopes that some people will be dumb enough to grant access to something with personally identifying information. (Which, sadly, will probably work.) That wouldn't be *too* big a security hole. (Certainly not as bad as the possibility that Google is actually leaking the structure of my document tree.) But even that is somewhat sadly careless: as this particular phishing scam demonstrates, this approach does make it too easy for the bad guys to do something nasty.
The moral of the story is a basic security principle (which I should remember myself for Querki): simply knowing an object ID shouldn't allow you to do *anything* unless that object is fully public...