A security vulnerability in Google Drive’s folder sharing system allowed unauthorized access to private Google Form responses despite “View-only” permissions. The flaw, responsibly disclosed by Andrew Sirkin, highlights the risks of sharing auto-generated files in cloud services. #GoogleDrive #AuthBypass #GoogleForms
Keypoints
- A misconfiguration in Google Drive sharing permissions led to an authorization bypass vulnerability.
- The bug allowed unauthorized download of private form responses stored within shared folders.
- The vulnerability was fully reproducible via a simple “Download All” feature, revealing CSV files containing sensitive data.
- Google rewarded the researcher with a $5000 bounty through its Vulnerability Reward Program (VRP).
- Lessons include the importance of explicit access controls and careful management of shared auto-generated files.