If you open Google Drive on the web, you will instantly spot the message informing you of an upcoming security update scheduled on the 13th of September, 2021. What does it mean?
Google Drive has also informed its users of the update via email, saying,
A security update will be applied to Drive.
If you click on “see files” within the notification, you can also find a list of the affected files, which have all gotten an unspecified “security update.”
The list includes the Name of the file, the Last modification date, whether the security update has been applied, and an option to remove the update.
There are no folders displayed in the list of impacted files. Also, the files are displayed for 30 days, after which the provider will remove them from the list.
The security update will not impact some file types, such as Google Docs, Sheets, Slides, and Forms. Instead, the change will affect shared files and folders exclusively on Google Drive, adding a resource key to the links.
— DNA (@dna) July 29, 2021
Google Drive currently supports two types of sharing; a single-person allow list and a “get link” option. The first one enables users to share a Google Doc with specific Google accounts, while the latter means that anyone with the link can access the file.
Shared links work on the same principle as unlisted YouTube videos. Essentially, they are neither private nor public. If someone guesses or leaks this link, they can access the files. The difficulty of guessing the link, in turn, depends on the method used to generate the “random” part of the link.
Google has been aware of the issue of guessable links for a while now. Thus, it had applied a similar change to the way unlisted YouTube link generations work in 2017.
The YouTube support page wrote:
In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven’t shared the link with them.
The new Google Drive links use the resource key parameter to decrease the chance of discovering publicly shared links on the platform.
So, an URL that looked like this: “https://drive.google.com/file/d/0B2WS17qmp9--TGJZdVBjUGEyeFk/” will now take the following form: “https://drive.google.com/file/d/0B2WS17qmp9--TGJZdVBjUGEyeFk/view?usp=sharing&resourcekey=0-PTJvLuPSW18qiCvIGgbL8Q.”
While shared links will still be considered publicly accessible, now it will be much more challenging to guess them.