How I’ve Gained Access to 60+ Google Docs That Aren’t Mine

How I’ve Gained Access to 60+ Google Docs That Aren’t Mine

Cloud services that we all love to use enable us to share documents easily and collaborate on them in real-time.

I have to confess though, that when sharing a document, the most common option that I use is Share with “Anyone with the link”. It’s fast and without issues (the other party doesn’t have to have an account, doesn’t have to be logged in etc.)

On top of that, the URL contains a long string of characters that work as a password. So the chance of anyone getting access to it is quite slim, isn’t it?

How can someone else reveal your secret URL?

There is one thing that’s good to know – when one site links to other and both are using a secure connection (SSL, such as Google Docs), the full referrer (original URL) is passed to the page that’s being linked to. The number of sites running on secure connection is quickly rising, not only because of the benefits for SEO.

If you link to a website on a secure connection (you’ll see HTTPS in the URL or a green lock icon in your address bar), owner of the linked site will be able to record the URL and use it to get to your private document easily.

Imagine you are preparing a proposal for your client and mention their competitors in the doc. Sharing this with just a link isn’t the best idea. Assuming you don’t want the competitors to get hold of it.

Let’s do a test!

Out of curiosity, I had opened Google Analytics of one of my SEO clients. There I was able to discover 1 418 visits from

It’s a tiny percentage of the overall traffic, but ever with that, there are929 unique URLs of documents!

One easy export and import to handy SEO tool ScreamingFrog let me crawl titles of these documents. Most of these URLs are shared with limited recipients, but I was able to find 69 working document addresses (7.43 %) – these I would be able to open and read their full content.

How many of them are truly intended to be public we’ll never know.

When sharing a document via a “secret” URL, keep in mind that it means you prefer comfort over the safety of your data or data of someone else. Anyone who can do a couple of clicks in Google Analytics may be able to reveal your “private” URL.