A researcher has found that Google's JotSpot service — which allows users to collaborate on online documents — exposes user names and email addresses to anyone on the internet. However, the search giant said the problem is due to administrator users not making the settings private.
As a result, sensitive user data is indexed by Google's crawler and made accessible on the web, said Ben Edelman, a Harvard Business School professor and security researcher.
"This is not a security issue," a Google spokesman said in an email. "The information in these wikis is accessible because they have been set to public on the Site Permissions page. Users are always in control of the information they share. If wikis are set to private, no information will be publicly accessible."
JotSpot wikis are private by default and no information is made public unless the group administrator changes the privacy controls, the Google spokesman said.
ZDNet UK sister site CNET News.com was able to view full user names, email addresses and group memberships of JotSpot users. This was done by searching Google for 'user management' pages on JotSpot that list registered users for different JotSpot projects or groups. Such a search conducted late on Thursday brought up about 2,800 results.
Each user listed on the user-management pages has a link to a page with more information, including an email address.
This is the case even for wiki pages that groups designated specifically as being private, Edelman wrote in a blog post. A test of one of Edelman's examples showed that the user-management page for a private group was no longer accessible, so Google may have removed public access to some of those pages.
Edelman said he notified Google of the security problems a week ago and that some of the affected sites were modified to address the situation on Monday.
The security lapse not only exposes data that users believed was protected but it puts the users at risk of being spammed and victimised by a social-engineering attack, Edelman said.
Told of Google's comment, Edelman said that, even if the problem is due to users not setting the privacy settings adequately, the matter still reflects poorly on Google.
Read this
Photos: Seven androids – and their lessons for enterprise IT
ZDNet UK picks out seven of fiction's most arresting androids and the lessons their fables have for business technology
"This is not good design. Showing email addresses is hard to defend," he said. "It's a question of what users could reasonably understand and accept. The privacy policy doesn't give any indication [that the data could be exposed to the web]."
Google acquired JotSpot two years ago.
The problem also exposes a flaw in Google's hosted-services business, which relies on customers — both individuals and companies — having faith in Google's ability to secure customer data, Edelman said.
"JotSpot's postings are, by all indications, accidental. But, in the context of a series of similar slip-ups, this error raises questions about the efficacy of Google's model of hosted applications," Edelman wrote.
"As these services become increasingly widely used, each slip-up exposes an ever-larger amount of data," Edelman said. "So far, few users seem concerned, but I suspect these hidden challenges will ultimately impede the server-based applications Google envisions."
