Security Digest - Misconfigured Google Drive Permissions Can be Costly
March 28, 2023
📂 Google Drive offers an outstanding platform for creating, sharing, and collaborating on documents. While sharing documents is easy, it's crucial to carefully review permissions and set them as restrictive as necessary, especially when sharing publicly. Earlier this month, an unauthorized individual modified a public Google Sheet, ultimately obtaining $120,000.
The affected party was PeopleDAO, a blockchain member fund established to purchase original historical documents, starting with the US Constitution. Here's what transpired. 👇👇
A PeopleDAO accounting team member shared a Google Sheet link in a public Discord channel. The permissions allowed anyone with the link to edit the document. This Sheet contained crypto wallet addresses for weekly payouts to PeopleDAO members.
💸 An unidentified individual utilized the Google Sheet link to insert a row with their wallet address, requesting a $120,000 payout. They then concealed the row, and the additional payout went unnoticed until it was too late, and the funds had been transferred.
This egregious Google Drive permissions oversight highlights the risks associated with Drive file sharing. If you use Drive or other file-sharing services like Box, Dropbox, or O365, verify permissions on files when sharing them.
A few important things to keep in mind:
👉 Is access to the document necessary for those you are sharing with?
👉 Should the individuals listed have editing capabilities?
👉 Share documents exclusively with those who need access.
👉 Allowing anyone to edit a document is seldom appropriate.
Refer to this guide from Google for more information on sharing Drive documents.
Want to subscribe your team to weekly posts like this in Slack? Check out Heakka Streams. All Streams are 100% customizable by admins before they are sent to your team.
Schedule a demo
Get started with a free trial by scheduling a demo today. One of our training experts will walk you through a live Haekka demo.