Author here — this research began as a Google VRP submission (Aug 2025) and focused on a systemic permission-inheritance pattern in Google Drive.
Key points:
- Files inside a publicly shared folder can return sensitive metadata (names, emails, timestamps, links) via unauthenticated API calls using any valid API key
- Google VRP classified the behavior as “intended” and “infeasible to address” under current design
- No UI banners or audit trails indicate inherited exposure
- VRP acknowledged that a leaked key isn’t required, but that public keys online make automation trivial
- Broader implications exist for other cloud vendors using similar inheritance models
Would love to hear HN’s thoughts on:
- Practical mitigations for vendors and admins
- How to improve user awareness of inherited exposure
- Any similar patterns you’ve seen across other platforms
Hxroot•5mo ago
Key points: - Files inside a publicly shared folder can return sensitive metadata (names, emails, timestamps, links) via unauthenticated API calls using any valid API key - Google VRP classified the behavior as “intended” and “infeasible to address” under current design - No UI banners or audit trails indicate inherited exposure - VRP acknowledged that a leaked key isn’t required, but that public keys online make automation trivial - Broader implications exist for other cloud vendors using similar inheritance models
Links: - Medium deep dive: https://medium.com/@aei.ismaieel/the-inheritance-trap-how-cl... - GitHub (sanitized PoCs + safe scripts): https://github.com/ISMAIEEL/inheritance-trap
Would love to hear HN’s thoughts on: - Practical mitigations for vendors and admins - How to improve user awareness of inherited exposure - Any similar patterns you’ve seen across other platforms