Support » Plugin: UpdraftPlus WordPress Backup Plugin » Requests full access to G-drive – Hack and sabotage risk

  • JuliaClark

    (@juliaclark)


    The plugin request full admin rights to all of G-drive.
    Plus the creator of the app gave a nonsensical reply as to why full access was needed.
    https://wordpress.org/support/topic/google-drive-permissions/#post-11620744
    Absolute 100% security risk.

    DO NOT INSTALL. IF INSTALLED UNINSTALL IMDEATILY.

    This app wants permission to access everything in your Google Drive. It will be able to do the same things that you can do, including:

    See your files
    Upload and download your files
    Delete your files
    See the names and emails of people that you share files with
    Share and stop sharing your files with others
    Remove people from your files
    Organize your Drive

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author David Anderson

    (@davidanderson)

    Hi Julia,

    See your files
    Upload and download your files
    Delete your files
    See the names and emails of people that you share files with
    Share and stop sharing your files with others
    Remove people from your files
    Organize your Drive … It will be able to do the same things that you can do

    This is not really the case. UpdraftPlus is open-source, installed on your website, and under the OAuth2 protocol as implemented in UpdraftPlus, only your website has the access token needed to perform actions. Since there’s no code in UpdraftPlus (which anyone can verify, it’s open source, unobfuscated, as per the rules of wordpress.org plugins) to do anything but upload and download backups, none of these things can happen. (And wordpress.org would boot us into outer space pretty instantly if that wasn’t the case!).

    As stated at the above link, Google’s Drive API (https://developers.google.com/drive/api/v2/about-auth) allows either 1) access only to files created by the app, or 2) access to all files in the Drive. If UD requested only 1), then it would not be possible to work with files that the user manually uploaded into Google Drive, which (from support experience) is used by many users. It’s also needed for being able to delete backups imported using the “Rescan remote storage” feature. If you know you’ll never want these features, use this snippet to restrict access only to files created by an UpdraftPlus upload and then authorise:

    add_filter(‘updraft_googledrive_scope’, function() { return ‘https://www.googleapis.com/auth/drive.files https://www.googleapis.com/auth/userinfo.profile‘; });

    N.B. Note that at the above developer link, it explains that the permission UpdraftPlus uses is granted to application developers (such as ourselves) if we pass a Google security review – which we did. I hope that counts for something!

    “It will be able to do” is somewhat ambiguous. It’s not specified what the “it” is – leaving open the possibility that you might be thinking that it means that UpdraftPlus staff can do these things. As explained above, this is not the case; the OAuth2 protocol means that only an entity possessed of the access token – which means, only the website (your website) with UpdraftPlus installed – can access anything.

    N.B. “userinfo.profile” is used to grab the account owner’s name (and only allows reading the user’s *public* profile, which is why Google don’t even bother listing it on their authorisation screen). Many users have multiple Google accounts and want to later be able to see which account they linked the website to.

    I note that Google have introduced a “read only” permission for file access. I’ve created a task in our task tracker to investigate this. If this can be used in combination with the permission to read files UD created, then we could drop the “all files” access.

    Best wishes,
    David

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    There’s a lot going on here. I’m also deleting that tag, it’s inflammatory. I’ve also closed that other topic, users can start there own topics as that’s how these forums work.

    https://wordpress.org/support/plugin/updraftplus/#new-post

    DISCLAIMER: I’m a user of the commercial version of this plugin. I also know more than a little about security scenarios, access permissions and application access capabilities.

    *Drinks coffee*

    I’m glad we got that out of the way.

    @juliaclark I’m leaving this review in place for now. That may change later on after some conversation with the other moderators. The title “Requests full access to G-drive – Hack and sabotage risk” is also inflammatory and completely misleading.

    For OAuth2 to work, it does need access and David’s reply is a good one.

    Whenever you offer any app access to 3rd party such a Google, Dropbox, Onedrive, Box, etc. you’re hopefully making an informed decision. You’re letting your site access a 3rd party as yourself or the account you set up on.

    Yes, it would be preferable if that access was minimized to just what was needed and that should be the case. Maybe that will change as David indicated and this conversation should be in a support topic (which is why this review may get archived). But the access is granted to the plugin on your installation only. Someone would have to compromise your site first to exploit your scenario.

    Are you planning on holding any plugin that has the option to write to 3rd party cloud storage responsible for your site? That’s a rhetorical question BTW.

    Make informed decisions. If you or anyone has a problem with the level of access being granted then don’t authorize the plugin on your site to access that data.

    Plugin Author David Anderson

    (@davidanderson)

    @juliaclark

    > I note that Google have introduced a “read only” permission for file access. I’ve created a task in our task tracker to investigate this. If this can be used in combination with the permission to read files UD created, then we could drop the “all files” access.

    This change was implemented and released in July (version 1.16.16). If you update and re-authorise your sites, it will now only request the read-only permission.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this review.