1

I have just spoken to one of my users who has received a request to access a folder on her Google Drive. The request was from an address unknown to us. Her privacy settings seem to be correct, and only specified people should be able to see her Google Drive.

Is Google Drive security very poor? Is this a known problem? How could someone know what folders were inside a private Google Drive?

There is no sensitive information in the drive, but nevertheless the user found it unsettling to think that what she thought was private can be seen.

@Google

5 Spice ups
2

I have not had anything like that occur, but I’d still have the use change her password.

3

Google Drive is very secure IMO. I have over 250 users using it, and the only problems we’ve encountered are user error.

Is it possible she’s shared the link somewhere? Is it a folder she has shared with at least one person? If someone else tries to share it without the editing permissions, the owner gets the request to view.

Also, if she’s shared the folder or document with coworker A, and coworker A is logged into a device as private A, then they cannot open the shared file. Thus clicking on it creates a request for sharing to the owner. Could that be it?

Just a couple of the possibilities. Let us know if you find out anything more.

2 Spice ups
4

We do have that occur here but not because google drive is at all insecure.

It’s usually because a document gets shared to one particular person who then forwards it either to their home email address or a colleague who doesn’t have access.

The request has to come from a human though just clicking on the document itself doesn’t send this type of request it will show a page like the following

permission.PNG
permission.PNG700×390 15.1 KB

only clicking the request access will send the email to the owner.

of course you could probably guess or brute force a file name to generate this page but it’s still not going to give you access unless explicitly given by the owner of the document.

I wouldn’t worry too much about it, just make sure users only share with addresses they recognise or turn off the ability to share outside the domain if you have Apps for Work and are really concerned about it.

2 Spice ups
5

Chances are, the employee shared the document with a person, who then attempted to share with somebody not given access by the owner.

You may also have a 3rd party app (browser extension or mobile app) with access to your Google Apps environment that is sharing information.

One way to track this type of sharing is to use a third party tool to track email forwards. Yesware (for sales teams) and Virtru (Gmail and doc encryption) are two that provide this service. The cost is worth it when you feel this is an ongoing issue.

I would also suggest looking at BetterCloud Enterprise and CloudLock as tools for monitoring and managing document permissions.

1 Spice up
6

Did you Google search the email address? If it’s a real person typically if you search the email address on Facebook or LinkedIn you’ll come across it. If it’s a known spammer there could be other people complaining online about it and a Google search might yield some answers as well.

7

Thanks for the suggestions. I will talk again to the user.

8

I have spoken to the user. They have confirmed that the account that requested access was the personal account of a colleague that she had shared the folder to via their work account.

Thanks to everyone for their help.

1 Spice up
9

I find this often happens when people don’t use user profiles in chrome to manage their multiple Google accounts. I often get requests to saccews docs from Gmail addresses I don’t recognise because a person’s work email isn’t on GApps. In the Gmail account just link the corporate non-google via alternate emails https://myaccount.google.com/email?pli=1