Skip to main content

The Day The Security Guy Dropped By...

It's always a pleasure when Arthur the online security guy at York drops by for a cup of tea. Today he pointed out, kind of him to bother really, that....


When you run an AppsScript in a Google Spreadsheet, it is run by the ActiveUser i.e the person that is logged in and working with the spreadsheet. In order to run the AppsScript, which edits the spreadsheet, you need Edit permission on that spreadsheet.

Stay with me.

Because you've got Edit permission on the spreadsheet, the container for the AppsScript, you've also got Edit permission on the AppsScript. That means, that you ( the ActiveUser ) can edit the script to say... get a copy of all my Documents ( assignments etc ) and upload them to a homework cheating site over here... and do it from your actual email address. It could send rude messages from you, the ActiveUser.

AAAAAARGHHHHH!

It's a massive security hole.

You could lock down the spreadsheet so that users can't edit the cells, and give them View access, but if you do that, then any menus ( which load the interface that makes changes ) don't load and so you don't get to be able to add data by proxy as it were.

If this route, of selectively locking bits of the file was almost possible, my old method of using a Task Queue that ran once a minute would mean that all the permissions, rather than being about the ActiveUser, would be tied to what's called the EffectiveUser ( the person who wrote the code and started the triggers that calls the code ).

Hang on, even I'm losing it now.

At this point, I thought... hang on... I can put MOST of the code into a standalone script library. In this way the ActiveUser would only be able to edit the code that displays the user interface. Oh. Still not right, because at that point naughty hacker could add anything they want.

And you see there is the problem. In order to do anything with this spreadsheet we're both looking at, you pretty much have to give people access to Read/Write all spreadsheets. Regardless of how innocuous the thing you are trying to do, the ActiveUser will be presented with an authentication dialog that looks like this...


And it says, "Only authorize the script if you truly trust the author".... Truly trust? Truly? Madly? Deeply? I don't even truly trust myself... how can I make a decision on that?

So basically, my dreams of an organisation creating and sharing solutions only work, if by sharing you mean...

You can take a copy of this data for yourself, and run the scripts on what is now your data

... what this doesn't mean is that...

We can work on the same data, using shared code and do anything useful with it.

All I wanted, he sighed wistfully, was to be able to collaboratively fill in a spreadsheet, using a slightly better interface than the formula bar but in order to do that the ActiveUser ( for those still paying attention, that's YOU! ) have to click a dialog that says you truly trust me, with all your data, email, calendars etc.

It's not going to happen is it?

In this case, it would be easily fixable if I could make the Scripts in a spreadsheet have the permission for you to run ( and maybe even read ) them but not to be able edit them. Or maybe I could say that I only want to edit THIS spreadsheet, and not have write access to ALL YOUR SPREADSHEETS!

As ever, permissions come to bite us in the arse. Ouch.

p.s I wonder what the hell Google are thinking with regards to all the AppsScripts/WebApps like these that are appearing in Chrome AppStore, which seem to also have a "truly trust" dialog in them, and none of which I have yet dared to run. Would you?

p.p.s Arthur's "solution" is to write the whole thing as a standalone web app, but, from a philosophical point of view I wanted to create solutions that other people could take and evolve to suit their needs. And also, writing a web app is quite hard.

















Comments

  1. "Because you've got Edit permission on the spreadsheet, the container for the AppsScript, you've also got Edit permission on the AppsScript. That means, that you ( the ActiveUser ) can edit the script to say... get a copy of all my Documents ( assignments etc ) and upload them to a homework cheating site over here... and do it from your actual email address. It could send rude messages from you, the ActiveUser."

    Not entirely true. Yes if you gave me edit permission to a spreadsheet then I can also edit the script. When the script is run by me I become the active user so I'll see a prompt to authorise connection to, for example, access my gmail. If I edit the script so that the next time you ran it, it dumped all your email somewhere else then when you run it again it'll ask you to re-authenticate.

    Webapps are a different matter and you are right to be cautious

    Martin

    ReplyDelete
  2. Yes, it means you can fiddle with the script, and the NEXT PERSON has to authenticate again.

    And whilst the likelihood of this is very low, these are students... :-) It's going to happen.

    It makes me think that NO AppsScript app is anything anyone should be running, unless Arthur has carefully reviewed and approved the code.

    ReplyDelete
  3. I shared some additional thoughts on Google+ about this thought worth sharing here:

    "This issue stems from changes Google made in June in the way permission sharing is handled in Google Spreadsheets. Previously when you added an editor to a spreadsheet the script was by default locked with view only unless the owner also separately gave permission. Now Google use container inheritance[1] so an editor of a spreadsheet also automatically becomes editor of the script, furthermore there is no way to make someone an editor of a spreadsheet and viewer of the script."

    [1] https://developers.google.com/apps-script/collaborating#sharingProject

    Have you opened this as a ticket on the issue tracker?

    ReplyDelete
  4. I really like your blog and have one with similar information. If you have time check it out.
    security systems

    ReplyDelete
  5. hi
    Security belongs to yourself.
    just go to your home alarm system Review

    ReplyDelete
  6. Hi! Your blog is very cool. Just done voting and following you. Find best for Best Home Security. Read more for Best Home Security. Find Expert home security system reviews that help consumers choose the best home security systems by reading reviews of security systems. Try Before you Invest for best security you at home instantly with Online

    Read more at http://security-system-reviewss.blogspot.in/ and Watch live video at http://tinyurl.com/brq5u22

    ReplyDelete
  7. Security is the one of the best thing which always give you a sense of Ultra security and protection against the internal as well as external factor
    home security service
    home security solution

    ReplyDelete
  8. Hi! Your blog is very cool & nice blog. Really so excellent post, things you describing are nice, Keep blogging, have a nice day! You have described more about best security for home of office. Let me know if you have any issue regarding any kind of Security System at your home. If you need more secure in home with advance technologies safety device Contact me as soon as possible. We will give best an idea about security in America for how can possible to sure in home a long time.
    Checkout more information for best safety device for Advance security in America at http://www.securitysystemreviews.com/ and also See live video at http://tinyurl.com/brq5u22

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. While the admin of the web site is working, no question soon it will likely be famous, due to its feature blogs.
    best home security

    ReplyDelete

Post a Comment

Popular posts from this blog

Inserting A Google Doc link into a Google Spreadsheet (UPDATED 6/12/2017)

This article looks at using Apps Script to add new features to a Google Spreadsheet.

At the University of York, various people have been using Google spreadsheets to collect together various project related information. We've found that when collecting lots of different collaborative information from lots of different people that a spreadsheet can work much better than a regular Google Form.

Spreadsheets can be better than Forms for data collection because:

The spreadsheet data saves as you are editing.If you want to fill in half the data and come back later, your data will still be there.The data in a spreadsheet is versioned, so you can see who added what and when and undo it if necessaryThe commenting features are brilliant - especially the "Resolve" button in comments.
One feature we needed was to be able to "attach" Google Docs to certain cells in a spreadsheet. It's easy to just paste in a URL into a spreadsheet cell, but they can often all look too si…

Writing a Simple QR Code Stock Control Spreadsheet

At Theatre, Film & TV they have lots of equipment they loan to students, cameras, microphone, tripod etc. Keeping track of what goes out and what comes back is a difficult job. I have seen a few other departments struggling with the similar "equipment inventory" problems.

A solution I have prototyped uses QR codes, a Google Spreadsheet and a small web application written in Apps Script. The idea is, that each piece of equipment ( or maybe collection of items ) has a QR code on it. Using a standard and free smartphone application to read QR codes, the technician swipes the item and is shown a screen that lets them either check the item out or return it.

The QR app looks like this.



The spreadsheet contains a list of cameras. It has links to images and uses Google Visualisation tools to generate its QR codes. The spreadsheet looks like this.


The Web Application The web application, which only checks items in or out and should be used on a phone in conjunction with a QR cod…

One-To-Many Relationship in a Google Spreadsheet

It's often the case that you want and need to be creating a database to store your data, but Google Spreadsheets are just so handy aren't they? But Google Spreadsheets are very good at relational data.

Here's an example where, you want to have one column for the name of your recipe and another for the ingredients ( comma separated ).

How you use this script is you click on the cell you want to be relational and choose the Admin > Show Relationship Editor. This opens up a dialog window showing you all the options included so far. You then alter the ingredients and it saves a comma separated list into the spreadsheet.







Here's the spreadsheet. Use File > Make a copy to see it work and rummage around in the code.

If anyone can help make the UI prettier I'd be grateful, thanks.