At Google, ensuring the security of our users is a top priority, and we are constantly assessing how we can make our services even more secure. We recently received a report via our
Vulnerability Reward Program of a security issue affecting a small subset of file types in Google Drive and have since made an update to address it.
This issue is only relevant if
all of the following apply:
- The file was uploaded to Google Drive
- The file was not converted to Docs, Sheets, or Slides (i.e. remained in its original format such as .pdf, .docx, etc.)
- The owner changed sharing settings so that the document was available to “Anyone with the link”
- The file contained hyperlinks to third-party HTTPS websites in its content
In this specific instance, if a user clicked on the embedded hyperlink, the administrator of that third-party site could potentially receive header information that may have allowed him or her to see the URL of the original document that linked to his or her site.
Today’s update to Drive takes extra precaution by ensuring that newly shared documents with hyperlinks to third-party HTTPS websites will not inadvertently relay the original document’s URL.
While any documents shared going forward are no longer impacted by this issue, if one of your previously shared documents meets all four of the criteria above, you can generate a new sharing link with the following steps:
- Create a copy of the document, via File > "Make a copy..."
- Share the copy of the document with particular people or via a new shareable link, via the “Share” button
- Delete the original document