Google Drive restricted file sharing still creates publicly accessible link – This is a critical security issue

I have come across a critical security issue with Google Drive file sharing.

When you set file sharing to “Restricted – Only people added can open with this link” then only people that you have specifically added should be able to view the document and they should be forced to login before they can view the document.

However, if you share the Restricted file with a non-Google email, you will get a poorly worded popup that asks you if you want to Share Anyway:

What is very unclear, is that if you click on Share Anyway, then a publicly accessible link is created that anybody can use to view the file now, even without logging in to Google.

And what is worse, is that the file status still shows as “Restricted: Only people added can open with this link” when in reality the file status should be changed to “Anyone with the link can view the file”.

This is a Critical Security issue.

When a file is set to RESTRICTED, it should only be viewable by those added that have a Google account to login with first, and should NEVER be viewable by anybody else even if they have the link.

Another -1 for Google 🙁

Here is thread on Stackoverflow:
https://stackoverflow.com/questions/71130234/critical-security-issue-with-google-drive-when-sharing-file-as-restricted

Here is a link on the Google Issue Tracker:
https://issuetracker.google.com/issues/215152601

Leave a Reply