I was collaborating on a Google Doc with Skycure co-founder, Adi Sharabani and our VP of Marketing, Varun Kohli, when I noticed a security issue in Google Docs. Under certain conditions, an attacker can post comments to a Google Doc, while impersonating a victim’s account.
It turns out that when a Google Docs user submits a comment on a document while using Google Docs for iOS, a notification email is sent (based on their notification settings) to other collaborators of the document. The interesting part is that a unique email address is formed by Google Docs, which is attached with the recipient of the email. By replying to the notification, a new comment is created with the identity of the recipient without additional verification.
In many cases, people reply to such mails and add other recipients as an FYI. By doing so, the unique email address is “leaked” to all the recipients of that email, which allows any of them to impersonate the victim and send comments on his/her behalf.
Skycure takes pride in abiding by vendor’s responsible disclosure policy. Per that policy, we notified Google of this issue in March 2015. Following our correspondence with the Google Security team, Google decided not to fix this bug and accepts this risk as a consequence of its current design. Due to the importance and widespread prevalence of Google Docs in enterprises today and after a coordination with Google’s security team, we decided to publish this blog post and inform users of this security issue.
Reproduction of the issue
1. A Google Doc is created.
2. A comment is created by Yair Amit via the Google Docs iOS app.
3. A notification email is sent by Google Docs to John (the victim), who is registered to receive notifications about changes in the document.
4. John responds with his input and CCs Sam (the attacker).
5. John’s comment shows up in the doc.
6. Sam (the attacker) receives the email from John (the victim) and extracts the unique Google Doc email address.
7. Sam (the attacker) sends an email with his own message, practically impersonating John (the victim).
8. The Google Doc shows up Sam’s comment as if it came from John.
From the surface, it might look totally harmless as no one would intentionally add an attacker to any such collaboration. But, if we dive a bit deeper and think about scenarios of malicious insiders and contractors (which are a significant factor of cyber breaches), many interesting attacks can be carried out leveraging this misbehavior in Google Docs. Imagine a contractor, working closely with the CEO on a project, gets fired. Even after leaving, he or she can post comments that would appear to have come from the CEO of the company. Moreover, even if the attacker does not have access to the document, he/she would still be able to post comments to the document on the behalf of the victim.
Until a fix is available for this issue, we recommend avoiding adding new recipients to the auto emails originating from Google Docs.