The Danger of Sharing Files with “Anyone with the Link”: Examining a Risky Google Drive Misconfiguration
Published 07/30/2024
Originally published by Valence.
Often when it comes to security, a significant risk results from an action that is so easy that we tend to overlook the risk itself. Sharing a file using the “anyone with the link” option is the equivalent of leaving a treasure chest unlocked, overflowing with sensitive customer data. Unfortunately, it's a surprisingly common occurrence in cybersecurity, and the treasure chest in question is often data stored in a SaaS application.
Based on Valence research, a concerning 22% of external data shares utilize “open links”, meaning anyone with the link can access the data. Compounding this issue, 94% of these open link shares are inactive.
SaaS misconfigurations, mistakes or ill-advised practices in how SaaS applications are set up, can leave data vulnerable and organizations exposed. One of the most risky of these misconfigurations are open link data shares, which we’ll explain more in this article.
A case in point: Ateam's costly Google Drive misconfiguration
In December 2023, Japanese game developer Ateam learned this lesson the hard way. A misconfiguration in their Google Drive account left personal data of nearly one million people exposed for over six years! The culprit? A misconfiguration that allowed “Anyone with the link” to view files stored in their Google Drive. That setting essentially removes access controls and makes the file available to anyone on the internet who stumbles upon the link or deliberately finds it for malicious purposes. This means that for over half a decade, sensitive information like names, email addresses, phone numbers, and customer management numbers were accessible to anyone who stumbled upon the link.
The potential consequences of such a breach are significant. Exposed data can be used for identity theft, phishing attacks, or even sold on the dark web. Ateam's incident highlights a critical security concern: the ease with which sensitive data can be unintentionally exposed due to misconfigurations in SaaS applications.
Why are SaaS misconfigurations so common?
Organizations of all sizes and from all industries are susceptible to SaaS misconfigurations due to the complexity of SaaS environments and the dynamic nature of user permissions. SaaS applications come with a vast array of features and settings. Keeping track of them all can be a challenge for even the most experienced IT teams. Typical misconfigurations are lack of MFA/SSO enforcement, overprivileged third-party access, unsecure default sharing settings, publicly available data, and many more.
The 2024 State of SaaS Security Report underscores this point, with 43% of security executives citing the "Complexity of SaaS configurations" as a top security challenge.
Further compounding the issue is the dynamic nature of user permissions. Permissions are constantly being added, removed, and modified as employees come and go, and projects evolve. Configuration drift, or the tendency for configurations to deviate from security practices over time, can create security risks that go unnoticed unless actively monitored and addressed.
The dangers of open link sharing
The Ateam incident involving Google Drive serves as a cautionary tale for managing external access in cloud storage. While easy sharing features like "anyone with a link" exist across many platforms (from file storage platforms like Dropbox to communication tools like recordings in Zoom), they can be risky. While convenient, this method bypasses essential access controls, essentially leaving data wide open for anyone to exploit. Organizations can significantly reduce the risk of accidental data exposure by implementing stricter access controls. This includes granting access only to specific users, for defined purposes, and for the minimum amount of time necessary.
Recommendations to prevent open link data shares
So, how can organizations prevent these costly “Open Link” misconfigurations and protect their sensitive data? Here are some key recommendations:
- In general, avoid open link shares: It’s highly recommended for SaaS users to avoid sharing via "anyone with the link." While the convenience is clear, and perhaps the wider risk is seen as unlikely, it’s preferable to share files with individual users or user groups.
- Adhere to the Principle of Least Privilege (PoLP): Least privilege should serve as a foundational best practice. Grant users only the minimum level of access required to perform their jobs. Avoid blanket access controls and regularly review and update permissions, including deleting inactive data shares.
- Data Governance Policies: Establish clear policies for data classification, access control, and data sharing. Regularly review and update these policies to stay ahead of evolving threats.
- SaaS Security Posture Management (SSPM): Consider implementing an SSPM solution to go beyond user access control and analyze configurations within each SaaS application to identify and address security risks before they are exploited.
- User Education: Train employees on secure data sharing practices within SaaS environments. This includes avoiding open link sharing, understanding access control settings, and reporting suspicious activity.
Read other critical insights from the 2024 State of SaaS Security Report
Open link shares and other misconfigurations are just one of the many focus points of the 2024 State of SaaS Security Report. The report explores the many challenges, potential security risks, and the best practices related to SaaS security. Download the full report today.
Related Articles:
Threats in Transit: Cyberattacks Disrupting the Transportation Industry
Published: 12/17/2024
Top Threat #7 - Data Disclosure Disasters and How to Dodge Them
Published: 12/16/2024
5 SaaS Misconfigurations Leading to Major Fu*%@ Ups
Published: 12/11/2024
The Service Accounts Guide Part 1: Origin, Types, Pitfalls and Fixes
Published: 12/10/2024