The Illusion of Deletion: How Trashed Files in Google Drive Can Still Be Accessed — Understanding Google Drive’s Trashed File Accessibility

Hi Guys,

introduction:

So today, we will be discussing an interesting discovery about Google Drive’s trash functionality — something that might surprise you. If you’ve ever assumed that moving a file to the trash means it’s completely inaccessible, think again!

What if I told you that your supposedly “deleted” file could still be downloaded with just one simple trick? It all started when I stumbled upon an interesting behavior in Google Drive — something that didn’t quite make sense. I had a file, shared publicly with “Anyone with the link” as a viewer, and I decided to delete it by moving it to the trash. Naturally, I assumed that would be the end of it — no one else should be able to access it anymore.

But then came the surprise.

Upon attempting to access the file through its usual Google Drive link, I was greeted with the message:

“No preview available. File is in the owner’s trash.”

At first glance, this seemed reasonable. The UI made it clear — the file was trashed, and it appeared that it was no longer accessible. However, curiosity got the better of me. What if I tried accessing it another way?

The Discovery: A Direct Download Bypass

Instead of using the standard Google Drive interface, I decided to test something: the direct download endpoint:

https://drive.usercontent.google.com/download?id=<FILE_ID>&export=download&authuser=0

To my surprise, the file downloaded without issue. Despite being moved to the trash, the file remained fully accessible through this alternative route.

At this point, I started writing a reports on Google VRP.

Google’s Response: “This is Working as Intended”

After reporting my findings to Google’s Vulnerability Reward Program (VRP), I quickly received a response from the security team. They stated that this behavior was not a bug, but rather an intentional design choice. Their reasoning was simple:

• Moving a file to trash does not immediately revoke access.
• A file remains accessible until it is permanently deleted.
• If a file was shared before being trashed, its permissions remain unchanged.

This meant that anyone with the original direct link could still access the file — until the owner manually deleted it forever.

Proof of Concept:

Accessible Vs Downloadable

Although The its documented on google i’m still confused on remain accessible and downlodable, when you shared the files its totally accessible without preview and also not downloadable

Although Google insists this is expected behavior, it creates a false sense of security for users. Here’s why:

1. Misleading UI Experience

• The Google Drive interface removes the preview and download buttons, making it seem like the file is no longer accessible.
• This leads users to believe they have revoked access when, in reality, the file remains downloadable.

1. Potential for Accidental Data Leaks

• Users may trash sensitive files, believing they are inaccessible, while others with the direct link can still access them.
• This creates a window of risk where files remain publicly available despite appearing “deleted.”

1. Inconsistent Behavior Between Google Drive UI & Backend

• The UI tells users “this file is in the trash and cannot be viewed.”
• The backend (Google Drive API & direct download endpoint) still allows file retrieval.

Final Thoughts — The Hidden Danger of Google Drive Trash

This experience served as a reminder that deletion doesn’t always mean what we think it does — especially in cloud-based services. While Google’s behavior is intentional, it contradicts user expectations and could lead to unintended data exposure.

For now, the best way to truly delete a shared file is to:

1. Manually remove public sharing before trashing.
2. Permanently delete the file from the trash.

Otherwise, that “deleted” file might still be lurking in the depths of Google Drive, just a direct link away from anyone who has it.

Contact:
Email: [email protected]
Twitter: https://x.com/PhHitachi
LinkedIn: www.linkedin.com/in/phhitachi