A security vulnerability has been found in the Google Drive Desktop application for Windows. It allows a logged-in user on a shared machine to access another user’s Drive files completely without needing their credentials.
This vulnerability stems from a broken access control mechanism in how the application handles cached data.
While Google Drive is widely trusted for its security and convenience by millions for storing sensitive data, this vulnerability challenges those assumptions.
The issue lies within the app’s local caching system, known as DriveFS, which fails to properly isolate cached files between different user profiles on a Windows system.
Vulnerability And Exploitation
According to Abdelghani Alhijawi, the Google Drive Desktop app caches synchronized files in a local directory (DriveFS).
Due to improper isolation, an attacker can access a victim’s cached DriveFS folder, copy its contents, and replace their own DriveFS folder with the victim’s data.
Upon restarting the application, Google Drive loads the victim’s entire drive, including “My Drive” and “Shared Drives,” as if it belonged to the attacker, without any re-authentication prompts.
This exploit directly contravenes fundamental security principles:
- Zero Trust: The application incorrectly trusts the copied cache without verifying the user identity.
- Encryption at Rest: Cached files are not individually encrypted for each user, allowing them to be reused across different accounts.
- Re-authentication: The application does not require a password or any form of re-login when a different user’s cache is loaded.
This vulnerability presents a classic insider threat scenario, particularly dangerous in environments with shared workstations like offices, universities, or co-working spaces.
An employee or any user on a shared system can covertly copy another person’s Drive cache, gaining access to sensitive files such as contracts, financial records, HR documents, or proprietary source code, Abdelghani Alhijawi said.
The potential for data exfiltration, modification, or deletion is substantial, posing risks of privacy violations, compliance failures under regulations like GDPR and HIPAA, and significant reputational damage.
Insider threats are a known and costly problem, accounting for 22% of security breaches according to the 2024 Verizon DBIR and costing companies an average of $15.38 million annually, as reported by a 2022 Ponemon/IBM study.
The vulnerability places the Google Drive Desktop app out of alignment with major global security standards like NIST SP 800-53, ISO 27001, and SOC 2.
These frameworks mandate strict data isolation, least privilege access, encryption of data at rest, and robust session management all of which are compromised by this flaw.
The researcher who discovered the issue reported it to Google’s vulnerability program but was told, “This is not considered a security bug.”
This response is concerning, as the flaw represents a failure to adhere to Zero Trust principles and leaves users exposed to significant risks.
Recommendations For Users
Until Google addresses this issue, users and organizations are advised to take precautions:
- Avoid using Google Drive Desktop on shared or multi-user computers.
- Enforce strict permissions on separate Windows user profiles.
- Use the application only on dedicated and managed endpoints to minimize insider threat risks.
Ultimately, the responsibility for securing user data lies with the service provider.
By failing to implement per-user encryption, requiring re-authentication for cached sessions, and adhering to Zero Trust principles, Google Drive Desktop currently falls short of essential security expectations.
Source link
