Is It Safe to Share Your Files? An Empirical Security Analysis of Google Workspace
Pages 1892 - 1901
Abstract
The increasing demand for remote work and virtual interactions has heightened the usage of business collaboration platforms~(BCPs), with Google Workspace as a prominent example. These platforms enhance team collaboration by integrating Google Docs, Slides, Calendar, and feature-rich third-party applications (add-ons). However, such integration of multiple users and entities has inadvertently introduced new and complex attack surfaces, elevating security and privacy risks in resource management to unprecedented levels. In this study, we conduct a systematic study on the effectiveness of the cross-entity resource management in Google Workspace, the most popular BCP. Our study unveils the access control enforcement in real-world BCPs for the first time. Based on this, we formulate the attack surfaces inherent in BCPs and conduct a comprehensive assessment, pinpointing three vulnerability types leading to distinct attacks. An analysis of 4,732 marketplace add-ons reveals that approximately 70% are potentially vulnerable to these attacks. We propose robust countermeasures to improve BCP security, urging immediate action and setting a foundation for future research.
Supplemental Material
MP4 File
video presentation
- Download
- 1513.43 MB
MP4 File
Supplemental video
- Download
- 9.38 MB
References
[1]
2023. Add-ons types. https://developers.google.com/apps-script/reference/gmail/gmail-app#sendemailrecipient,-subject,-body,-options
[2]
2023. Build Google Workspace Add-ons. https://developers.google.com/apps-script/add-ons/how-tos/building-workspace-addons
[3]
2023. General Access for your file. https://support.google.com/drive/answer/2494822?hl=en&co=GENIE.Platform%3DDesktop&sjid=7887102158262290938-AP#zippy=%2Cchoose-if-people-can-view-comment-or-edit%2Cchange-the-general-access-for-your-file
[4]
2023. Google API Services User Data Policy. https://developers.google.com/terms/api-services-user-data-policy
[5]
2023. Google Workspace Marketplace. https://en.wikipedia.org/wiki/Google_Workspace_Marketplace
[6]
2023. Google Workspace User Stats (2023). https://explodingtopics.com/blog/google-workspace-stats
[7]
2023. Market Share of Google Workspace. https://6sense.com/tech/office-suites/google-workspace-market-share
[8]
2023. OAuth API verification FAQs. https://support.google.com/cloud/answer/9110914?hl=en&sjid=7420817705128385010-AP
[9]
2023. Publish apps to the Google Workspace Marketplace. https://developers.google.com/workspace/marketplace/how-to-publish
[10]
2023. Zoho Third Party App. https://marketplace.zoho.com/home
[11]
2024. Get Document Details. https://www.zoho.com/writer/help/api/v1/get-document-details.html
[12]
2024. word package. https://learn.microsoft.com/en-us/javascript/api/word?view=word-js-preview
[13]
Mohammad M Ahmadpanah, Daniel Hedin, and Andrei Sabelfeld. 2023. LazyTAP: On-Demand Data Minimization for Trigger-Action Applications. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 3079--3097.
[14]
Simone Aonzo, Alessio Merlo, Giulio Tavella, and Yanick Fratantonio. 2018. Phishing Attacks on Modern Android. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15--19, 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM, 1788--1801. https://doi.org/10.1145/3243734.3243778
[15]
David G. Balash, Xiaoyuan Wu, Miles Grant, Irwin Reyes, and Adam J. Aviv. 2022. Security and Privacy Perceptions of Third-Party Application Access for Google Accounts. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 3397--3414. https://www.usenix.org/conference/usenixsecurity22/presentation/balash
[16]
Iulia Bastys, Musard Balliu, and Andrei Sabelfeld. 2018. If this then what? Controlling flows in IoT apps. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security. 1102--1119.
[17]
Z Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A Selcuk Uluagac. 2018. Sensitive information tracking in commodity {IoT}. In 27th USENIX Security Symposium (USENIX Security 18). 1687--1704.
[18]
Z Berkay Celik, Patrick McDaniel, and Gang Tan. 2018. Soteria: Automated {IoT} safety and security analysis. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). 147--158.
[19]
Eric Y Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014. Oauth demystified for mobile application developers. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. 892--903.
[20]
Sanchuan Chen, Zhiqiang Lin, and Yinqian Zhang. 2021. {SelectiveTaint}: Efficient Data Flow Tracking With Static Binary Rewriting. In 30th USENIX Security Symposium (USENIX Security 21). 1665--1682.
[21]
Yunang Chen, Mohannad Alhanahnah, Andrei Sabelfeld, Rahul Chatterjee, and Earlence Fernandes. 2022. Practical Data Access Minimization in {Trigger- Action} Platforms. In 31st USENIX Security Symposium (USENIX Security 22). 2929--2945.
[22]
Yunang Chen, Yue Gao, Nick Ceccio, Rahul Chatterjee, Kassem Fawaz, and Earlence Fernandes. 2022. Experimental Security Analysis of the App Model in Business Collaboration Platforms. In 31st USENIX Security Symposium (USENIX Security 22). 2011--2028.
[23]
Camille Cobb, Milijana Surbatovich, Anna Kawakami, Mahmood Sharif, Lujo Bauer, Anupam Das, and Limin Jia. 2020. How Risky Are Real Users'{IFTTT} Applets?. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). 505--529.
[24]
Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. Pios: Detecting privacy leaks in ios applications. In NDSS. 177--183.
[25]
William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 1--29.
[26]
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security analysis of emerging smart home applications. In 2016 IEEE symposium on security and privacy (SP). IEEE, 636--654.
[27]
Shashank Gupta and Brij Bhooshan Gupta. 2017. Cross-Site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. International Journal of System Assurance Engineering and Management 8 (2017), 512--530.
[28]
Surbhi Gupta, Abhishek Singhal, and Akanksha Kapoor. 2016. A literature survey on social engineering attacks: Phishing attack. In 2016 international conference on computing, communication and automation (ICCCA). IEEE, 537--540.
[29]
Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. 2016. Smart locks: Lessons for securing commodity internet of things devices. In Proceedings of the 11th ACM on Asia conference on computer and communications security. 461--472.
[30]
Simon Holm Jensen, Anders Møller, and Peter Thiemann. 2009. Type analysis for JavaScript. In Static Analysis: 16th International Symposium, SAS 2009, Los Angeles, CA, USA, August 9--11, 2009. Proceedings 16. Springer, 238--255.
[31]
Yizhen Jia, Yinhao Xiao, Jiguo Yu, Xiuzhen Cheng, Zhenkai Liang, and Zhiguo Wan. 2018. A novel graph-based mechanism for identifying traffic vulnerabilities in smart home IoT. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications. IEEE, 1493--1501.
[32]
William Koch, Abdelberi Chaabane, Manuel Egele, William K. Robertson, and Engin Kirda. 2017. Semi-automated discovery of server-based information over- sharing vulnerabilities in Android applications. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, Santa Barbara, CA, USA, July 10 - 14, 2017, Tevfik Bultan and Koushik Sen (Eds.). ACM, 147--157. https://doi.org/10.1145/3092703.3092708
[33]
Shuai Li, Zhemin Yang, Nan Hua, Peng Liu, Xiaohan Zhang, Guangliang Yang, and Min Yang. 2022. Collect Responsibly But Deliver Arbitrarily? A Study on Cross-User Privacy Leakage in Mobile Apps. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 1887--1900.
[34]
Chen Ling, Utkucan Balci, Jeremy Blackburn, and Gianluca Stringhini. 2021. A first look at zoombombing. In 2021 IEEE symposium on security and privacy (SP). IEEE, 1452--1467.
[35]
Miao Liu, Boyu Zhang, Wenbin Chen, and Xunlai Zhang. 2019. A survey of exploitation and detection methods of XSS vulnerabilities. IEEE access 7 (2019), 182004--182016.
[36]
Kulani Mahadewa, Yanjun Zhang, Guangdong Bai, Lei Bu, Zhiqiang Zuo, Dileepa Fernando, Zhenkai Liang, and Jin Song Dong. 2021. Identifying privacy weaknesses from multi-party trigger-action integration platforms. In Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis. 2--15.
[37]
Anna-Maria Meck and Lisa Precht. 2021. How to Design the Perfect Prompt: A Linguistic Approach to Prompt Design in Automotive Voice Assistants--An Exploratory Study. In 13th International Conference on Automotive User Interfaces and Interactive Vehicular Applications. 237--246.
[38]
Mark Huasong Meng, Qing Zhang, Guangshuai Xia, Yuwei Zheng, Yanjun Zhang, Guangdong Bai, Zhi Liu, Sin G Teo, and Jin Song Dong. 2023. Post-GDPR threat hunting on android phones: dissecting OS-level safeguards of user-unresettable identifiers. In The Network and Distributed System Security Symposium (NDSS).
[39]
Xianghang Mi, Feng Qian, Ying Zhang, and XiaoFeng Wang. 2017. An empirical characterization of IFTTT: ecosystem, usage, and performance. In Proceedings of the 2017 Internet Measurement Conference. 398--404.
[40]
Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu, and Min Yang. 2018. Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18--21, 2018. The Internet Society. https://www.ndss-symposium.org/wp-content/uploads/2018/02/ndss2018_05B-1_Nan_paper.pdf
[41]
James Newsome and Dawn Xiaodong Song. 2005. Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS, Vol. 5. Citeseer, 3--4.
[42]
Sean Oesch, Ruba Abu-Salma, Oumar Diallo, Juliane Krämer, James Simmons, Justin Wu, and Scott Ruoti. 2020. Understanding User Perceptions of Security and Privacy for Group Chat: A Survey of Users in the US and UK. In Annual Computer Security Applications Conference. 234--248.
[43]
Paul Rösler, Christian Mainka, and Jörg Schwenk. 2018. More is less: On the end-to-end security of group chats in signal, whatsapp, and threema. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 415--429.
[44]
Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In 2010 IEEE symposium on Security and privacy. IEEE, 317--331.
[45]
William Stallings. 2015. Computer security principles and practice.
[46]
Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia. 2017. Some recipes can do more than spoil your appetite: Analyzing the security and privacy risks of IFTTT recipes. In Proceedings of the 26th International Conference on World Wide Web. 1501--1510.
[47]
Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2007. Cross site scripting prevention with dynamic data tainting and static analysis. In NDSS, Vol. 2007. 12.
[48]
Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Taint-mini: Detecting flow of sensitive data in mini-programs with static taint analysis. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 932--944.
[49]
Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. Uncovering and Exploiting Hidden APIs in Mobile Super Apps. arXiv preprint arXiv:2306.08134 (2023).
[50]
Rui Wang, Luyi Xing, XiaoFeng Wang, and Shuo Chen. 2013. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 635--646.
[51]
Fuman Xie, Yanjun Zhang, Chuan Yan, Suwan Li, Lei Bu, Kai Chen, Zi Huang, and Guangdong Bai. 2022. Scrutinizing privacy policy compliance of virtual personal assistant apps. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering. 1--13.
[52]
Rei Yamagishi and Shota Fujii. 2023. An Analysis of Susceptibility to Phishing via Business Chat through Online Survey. Journal of Information Processing 31 (2023), 609--619.
[53]
Mingming Zha, J Wang, et al. 2022. Hazard Integrated: Understanding the Security Risks of App Extensions on Team Chat Systems. In Network and Distributed Systems Security Symposium. 24--28.
[54]
Xiaoyong Zhou, Soteris Demetriou, Dongjing He, Muhammad Naveed, Xiaorui Pan, XiaoFeng Wang, Carl A Gunter, and Klara Nahrstedt. 2013. Identity, location, disease and more: Inferring your secrets from android public resources. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 1017--1028.
Index Terms
- Is It Safe to Share Your Files? An Empirical Security Analysis of Google Workspace
Recommendations
Security analysis of modern mission critical android mobile applications
ACSW '17: Proceedings of the Australasian Computer Science Week MulticonferenceMobile devices have become an indispensable component of our daily life. New applications published by developers help users to do their daily activities easier and faster. As the market leader of mobile OS, Android provides numerous applications in ...
Security Analysis of Cordova Applications in Google Play
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityMobile Cross-Platform Tools (CPTs) provide an alternative to native application development that allows mobile app developers to drastically reduce the development time and cost when targeting multiple platforms. They allow sharing a significant part of ...
XSS Vulnerabilities in Cloud-Application Add-Ons
ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications SecurityMany cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new ...
Comments
Information & Contributors
Information
Published In
May 2024
4826 pages
ISBN:9798400701719
DOI:10.1145/3589334
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 87Total Downloads
- Downloads (Last 12 months)87
- Downloads (Last 6 weeks)18
Reflects downloads up to
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in