Millions of people and businesses trust Google Drive every day to store important files like contracts, reports, photos, and research papers.
The desktop app for Windows promises secure and seamless syncing of files between local folders and the cloud.
Yet a serious flaw in Google Drive Desktop for Windows breaks these promises. Any user on a shared Windows machine can grab another user’s entire Drive content—without ever needing to sign in again.
Vulnerability Details
Google Drive Desktop keeps copies of synced files in a hidden local folder called DriveFS. This folder sits under each user’s Windows profile and should only be accessible to its owner, as per a report by Security Researcher.
However, the app does not enforce strict file isolation or require fresh login when it loads that folder. If an attacker can reach the DriveFS folder of another user, they can copy its contents into their own profile.
When the Drive app restarts, it will load the copied cache and treat the victim’s Drive files as if they belong to the attacker. This bypasses all normal checks for user identity, turning a basic file cache into an open door.
Proof of Concept
On Windows 10 or 11 with Google Drive Desktop version 112.0.3.0, the steps are simple:
- The attacker logs into Google Drive Desktop with their own Google account.
- They close the Drive app.
- They copy the victim’s DriveFS folder
(C:UsersAppDataLocalGoogleDriveFS )
into their own DriveFS folder (C:UsersAppDataLocalGoogleDriveFS ). - On restarting the Drive app, Google Drive Desktop loads the victim’s data without asking for a password.
- The attacker gains full access to all files in My Drive and any Shared Drives.
No re-authentication, no warnings, and no built-in limits block this move. Sensitive documents, source code, financial records, or private photos are all exposed in seconds.
This flaw breaks core security principles like Zero Trust, which says you must always verify identity before granting access.
It also ignores encryption at rest—cached files remain in plain form and can be reused by anyone with local access.
Major standards and laws such as NIST, ISO 27001, GDPR, and HIPAA expect strong isolation and fresh login checks. Google Drive Desktop fails on every count.
Until Google issues a fix, organizations should avoid using the desktop app on shared or multi-user machines.
Clearing the DriveFS cache between accounts, enforcing separate Windows profiles with tight permissions, and restricting Drive Desktop to trusted endpoints are critical stopgap measures.
Google must add per-user encryption for cache files, require re-authentication when mounting any cache, and apply strict Windows file permissions to block cross-profile access.
Insider threats already cause a large share of data breaches and carry costly impacts for businesses. By trusting cached data without verification, Google Drive Desktop invites misuse of private files and serious compliance failures.
True security demands verification—never blind trust. Until this bug is fixed, users and IT teams bear the risk of unchecked access to their most critical data.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
