Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Links Security Google Youtube

What That Google Drive 'Security Update' Message Means (arstechnica.com) 9

An anonymous reader quotes a report from Ars Technica: A security update will be applied to Drive," Google's weird new email reads. If you visit drive.google.com, you'll also see a message saying, "On September 13, 2021, a security update will be applied to some of your files." You can even see a list of the affected files, which have all gotten an unspecified "security update." So what is this all about? Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a "get link" option (where anyone with the link can access the file). The "get link" option works the same way as unlisted YouTube videos -- it's not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn't affect links you've shared in the past, and soon Google is going to require your old links to change, which can break them. Google's new link scheme adds a "resourcekey" to the end of any shared Drive links, making them harder to guess. So a link that used to look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/" will now look like "https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w." The resource key makes it harder to guess. If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you'll see a button on the right to remove or apply the security update. "Applied" means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while "removed" means the resourcekey isn't required and any links out there should keep working.
YouTube is also making similar changes. "In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven't shared the link with them," says YouTube in a support page.

YouTube creators can decide to opt out of this change. They also have the option of making Unlisted pre-2017 videos public or re-uploading as a new Unlisted video at the expense of stats.
This discussion has been archived. No new comments can be posted.

What That Google Drive 'Security Update' Message Means

Comments Filter:
  • by fahrbot-bot ( 874524 ) on Wednesday July 28, 2021 @05:18PM (#61631887)

    What That Google Drive 'Security Update' Message Means

    That Google Drive has *finally* moved from Alpha to Beta testing? :-)

    [Note: The next stage in the Google development process is usually "discontinued".]

    • That Google Drive has *finally* moved from Alpha to Beta testing? :-)

      [Note: The next stage in the Google development process is usually "discontinued".]

      Long con ransomware scam then, is it? Well played Google.

  • I got the email message about the links twice, both times pointing to the exactly same two files..

  • Gotta love the Example Link...not an example but working. The file is a "Big Android Chart" a .xlsx file. :) Excel + Android = ???.

    JoshK.

  • anyone have details on how these links can be guessed? i'm also curious how the resourcekey resolves the issue.
    • Usually you can compare online mechanics with offline mechanics. The equivalent would be: Before, you could just make up a street name and number, and there's a chance it is an address of an actual house. Without requiring a key, you can just walk into that house. Now you not only need to guess the address, but also need a key to unlock the door. And yes of course, you can also try to guess the key (physical keys also have a key number), but the chance of you guessing the key that belongs to that house is m
      • That works because most cities have a "Main Street" or other common street names and house numbers in order.

        If the address part would be a completely random number and the key is a random number, then two separate 128bit random numbers are exactly as easy or as difficult to guess as one single 256bit number.

        If your example is a correct analogy for the current Google Drive links, this would mean that the "secret link" is not random. (if not even half public, like a street address)

        If it is random, they just a

        • I did a quick check and two files in the same directory have the same first ~half of the file id. So there is some logic underneath, itâ(TM)s not just a fully random string that could be expanded.
        • Random or not. The point I believe we are both making is, that it is just more stuff you have to get right. I completely agree that 2 x 10 = 1 x 20.

You know you've landed gear-up when it takes full power to taxi.

Working...