A newly discovered vulnerability in Google Drive Desktop for Windows shatters the trust in one of the most widely used file-syncing applications.

Researchers have identified a broken access control flaw that enables any logged-in user on a shared Windows machine to gain full access to another user’s Drive contents My Drive and Shared Drives alike, without re-authentication.

This vulnerability puts sensitive contracts, financial records, proprietary code, and personal photos at risk, undermining fundamental security principles such as Zero Trust, encryption at rest, and session management.

Vulnerability Overview

Google Drive Desktop caches synchronized files locally in a hidden directory using DriveFS. However, these caches are not properly isolated between Windows user profiles.

By copying the contents of one user’s DriveFS folder into another’s, the app blindly “trusts” the copied cache and loads the victim’s Drive data as if the attacker were the legitimate owner.

No re-authentication is required, and cached sessions persist indefinitely, violating encryption-at-rest expectations.

This flaw is especially dangerous in multi-user environments such as corporate workstations, university labs, or coworking spaces.

An insider or simply anyone with local access can silently exfiltrate sensitive data, modify or delete files, and disrupt operations.

According to the Verizon DBIR 2024, insider threats account for 22 percent of breaches, and the Ponemon Institute reports an average annual cost of $15.38 million for insider incidents, making this issue far from theoretical.

Proof of Concept

Researchers tested the flaw on Windows 10 and 11 with Google Drive Desktop version 112.0.3.0:

1. Attacker logs into Drive Desktop with their own credentials.
2. The Drive app is closed.
3. The attacker copies the victim’s DriveFS cache folder from
   C:\Users\<victim>\AppData\Local\Google\DriveFS\<ID>\
   into their own DriveFS directory at
   C:\Users\<attacker>\AppData\Local\Google\DriveFS\<ID>\.
4. Upon restarting Drive Desktop, the victim’s My Drive and Shared Drives load automatically.
5. Even pausing sync preserves access to the victim’s My Drive indefinitely.

Figure 1. Cross-user exposure by copying the DriveFS cache between profiles.

For Google

• Implement per-user encryption at rest for DriveFS caches, tied to account credentials.
• Require re-authentication when mounting any cache.
• Enforce OS-level ACLs to isolate cache directories between profiles.
• Provide an admin option to revoke or invalidate cached sessions.

For Users and Organizations (Interim Controls)

• Avoid Google Drive Desktop on shared or multi-user systems.
• Clear the DriveFS cache before switching accounts.
• Use separate Windows profiles with strict permissions.
• Limit Drive Desktop to dedicated, managed endpoints with minimal insider-threat risk.

Google Drive Desktop’s failure to enforce Zero Trust principles, encryption at rest, and session re-authentication exposes organizations to severe insider-threat risks and non-compliance with standards like NIST SP 800-53, ISO 27001, and HIPAA.

Until Google addresses this vulnerability, IT administrators and users must adopt interim mitigations to safeguard sensitive data on shared Windows machines.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates