Is It Safe to Share Your Files? An Empirical Security Analysis of Google Workspace Add-ons

No Thumbnail Available
File version
Author(s)
Wan, L
Wang, K
Wang, H
Bai, G
Griffith University Author(s)
Primary Supervisor
Other Supervisors
Editor(s)
Date
2024
Size
File type(s)
Location

Singapore, Singapore

License
Abstract

The increasing demand for remote work and virtual interactions has heightened the usage of business collaboration platforms∼(BCPs), with Google Workspace as a prominent example. These platforms enhance team collaboration by integrating Google Docs, Slides, Calendar, and feature-rich third-party applications (add-ons). However, such integration of multiple users and entities has inadvertently introduced new and complex attack surfaces, elevating security and privacy risks in resource management to unprecedented levels. In this study, we conduct a systematic study on the effectiveness of the cross-entity resource management in Google Workspace, the most popular BCP. Our study unveils the access control enforcement in real-world BCPs for the first time. Based on this, we formulate the attack surfaces inherent in BCPs and conduct a comprehensive assessment, pinpointing three vulnerability types leading to distinct attacks. An analysis of 4,732 marketplace add-ons reveals that approximately 70% are potentially vulnerable to these attacks. We propose robust countermeasures to improve BCP security, urging immediate action and setting a foundation for future research.

Journal Title
Conference Title

WWW '24: Proceedings of the ACM Web Conference 2024

Book Title
Edition
Volume
Issue
Thesis Type
Degree Program
School
Publisher link
Patent number
Funder(s)
Grant identifier(s)
Rights Statement
Rights Statement
Item Access Status
Note
Access the data
Related item(s)
Subject
Persistent link to this record
Citation

Wan, L; Wang, K; Wang, H; Bai, G, Is It Safe to Share Your Files? An Empirical Security Analysis of Google Workspace Add-ons, WWW 2024 - Proceedings of the ACM Web Conference, WWW '24: Proceedings of the ACM Web Conference 2024, 2024, pp. 1892-1901