Imagine a hacker, abusive ex, or disgruntled employee could poison your work’s Google Drive searches

Imagine that I’m a hacker (really stretch your imagination here,) your ex (or your employer’s ex,) and I’m a total dick.

At your company you’re on Google Suite, GSuite, or whatever they’re calling it this week and you’re using Google Drive for shared document storage.

I’d say this accounts for quite a few of you on the Goog.

TL;DR – everything below details how I as a third party can shape Google Drive searches by sharing only knowing an email address and a bug that’s allowing it even if the third party deletes my share from their view. Alternately I’m wrong. I’ve got a cold. Please be kind.

Should be noted Paul is an Android guy, not a security guy. I just did this (poisoning searches,) and at Pocketables, in about an hour we’ve found no way to block it (doesn’t mean you haven’t.) Please share the answer with us.

I’m a bit unsure if this will be taken as a warning or as an instruction manual in how to harass someone or a company. It’s been reported to Google and they’ve been running a woman in circles for a month evidently with ex-shared garbage returning over and over again.

Ooh hey, looking for a picture of your kid? Well how about this instead?

What I’m about to detail here we’ve tested, it evidently has yet to be addressed by Google (or my Google Fu is weak, or it’s such old news I haven’t caught it,) and right now they’re not doing anything about it (the harassment/reappearing deleted shares,) and putting one person through the ringer saying it’s how it’s supposed to work. (Bug or a feature, you decide)

We’ll wait for permission to post her tweet thread however about an ex.

For purposes of this article (please be nice if I’m wrong here): There’s no way to block a Google Drive sharer. If you delete a shared folder from your view it will come back (bug referenced on Twitter.) New items placed in shared folder or clicking on a search result will essentially resubscribe you. Items will come up in searches. You’ll get one notification email on a shared folder but new items in said folder will not notify you.

Oh wait, no you won’t get a notification because using my hacker skills I’m going to uncheck “notify people”

Skip sending invite - for some reason we don't have an alt tag here

It may just end up being how the sharing works and you’re going to have to take additional preventive security measures on naming things and make sure people check the source of every single shared document and that still might not be enough.

I’m waiting to see if the person who is being harassed this way wants the Twitter thread referenced or not, but for the moment now I’m going to address how this poisoning works / what we played with.

I’ve got dirt on you (I’m an abusive ex here,) or perhaps simply chat transcripts you don’t want your coworkers having, or pretty much anything whatsoever. Could also be dirt on the boss, who knows, maybe I want to drive employee moral into the ground. Maybe I’m the competition. Maybe I’m just phishing.

I go to my Google Drive (using an account name that looks like your employer’s,) and share a folder with your boss, coworkers, everyone at the company I can, set it it read only, and I proceed to poison their Drive searches by uploading whatever I want into that folder and crafting specific names.

I mean, as a total dick, my first move is going to be sharing a folder on Google Drive, contents just a text file containing what I think will get my goal done. There, I’ve shared a folder with every coworker that I could locate from your company’s website and a couple of calls asking what email I needed to send something to.

Shared it read-only with all of them on drive, done. Named a text file in there something like “stationary” or your company name. They’re got access to everything, read only. They’ve been notified once that someone shared a folder with them ([email protected]) and will not be notified of future shares in said folder.

Next coworker to search for stationary in their drive is going to come up with… oh yeah, screenshot of that text that time you ditched work because it was a nice day (or spent $120K on a car the day you told employees raises were out of the question,) or you doing something you’re not supposed to do in the copy room.

Now I place a file in the shared with y’all folder simply called “companyname.png” and it’s an image. Can be whatever I want it to be, but I’m a total dick so figure out where this is going. I’m planting stuff your company searches for just because I know your email addresses.

Poisoned search results - for some reason we don't have an alt tag here
For purposes above I poisoned Daniel’s Google Drive with a Halloween themed image

I name things like 2019, fiscal, and other things that might be searched for by various departments and drop them in my shared folder. These come up when someone searches their Google Drive. Above example is I forced my halloween photo in Daniel’s “Reactor” search on his Google Drive.

Should be noted, the above is actual results from a Drive search Daniel did, that 3rd item didn’t have to be a bell pepper that looks like a pumpkin. I could make everyone a subscriber to Eye Bleach Monthly.

Now, you can delete the items, but the instant I put something else in my shared Google Drive or you go back and forth a folder, or I simply re-share it’s back. Bug/harassment/Phisher’s dream part.

And there’s no way to block them. I can share fake contact information, an email distro list called maybe “company distro emails 2019 use this one” that has everyone I could find out, and an email address I control. Fun with phishing when you’ve got eyes on the wrong info.

These come up when you’re searching Google Drive. You going to tell me everyone in your work can be trusted to not click “use this one!”

Here’s to hoping that Google allows you to block content or puts up a giant “shared from outside your group” banner because you shouldn’t be seeing items searching on your Drive just because someone knows your email address.

Alternately there’s a simple switch we’re not seeing and I just wrote several hundred words about an item that’s detailed in an instruction manual I forgot.

Source is on Twitter, I’ve asked if I can link

Pocketables does not accept targeted advertising, phony guest posts, paid reviews, etc. Help us keep this way with support on Patreon!
Become a patron at Patreon!

Paul E King

Paul King started with GoodAndEVO in 2011, which merged with Pocketables, and as of 2018 he's evidently the owner. He lives in Nashville, works at a film production company, is married with two kids. Facebook | Twitter | Donate | More posts by Paul | Subscribe to Paul's posts

Avatar of Paul E King