CRZ-004
Prod docs hosted as publicly-shareable Google Doc
info
CVSS 3.1: 5.3 · Asset: doc.corezoid.com
- Severity: Informational (possibly Low)
- CVSS 3.1:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N→ 5.3 if the doc content is sensitive - CWE: CWE-285 (Improper Authorization)
- Asset:
https://doc.corezoid.com - Discovered: 2026-04-26
- Status: Open — needs review of what's inside the Google Doc
Summary
doc.corezoid.com 302-redirects to
https://docs.google.com/document/d/1-31BBNhy2DUIfu-EljVn3MJr3GSOVqJ3PIwjGPUi3So/edit?tab=t.0#heading=h.ozm883b0d4z0.
Corezoid's official product documentation is therefore hosted inside a
single Google Doc. Anyone who follows the redirect (or guesses the doc
ID) can:
- Read the document in full
- Potentially comment (depending on share setting)
- Potentially edit (depending on share setting)
Google Doc share settings could be:
- "Anyone with the link can view" — current observed state (since no auth challenge appears on redirect)
- "Anyone can comment" — attacker could inject comments seen by staff
- "Anyone can edit" — attacker could deface documentation
Reproduction
$ curl -skI https://doc.corezoid.com/ | grep -i location
location: https://docs.google.com/document/d/1-31BBNhy2DUIfu-EljVn3MJr3GSOVqJ3PIwjGPUi3So/edit?tab=t.0#heading=h.ozm883b0d4z0Open the URL in a browser to confirm the share permission and whether the document contains anything beyond public documentation.
Impact
- If share is view-only: low — essentially just hosting public docs on Google Docs
- If anyone-can-edit: defacement, social engineering vector (attacker plants malicious link in docs customers trust)
- If the doc contains internal URLs, staging credentials, or API keys (which is common in "quick fix" docs that hide in Google Docs forever) — information disclosure
Remediation
- Audit the Google Doc share settings. Change to "Restricted — only members of corezoid.com" if the content is not intended for public distribution.
- Move official product documentation to a controlled CMS (Docusaurus, Mkdocs, Readme.io) where content and auth are version-controlled.
- Audit the full document revision history for any sensitive content that was ever pasted in and forgotten.
- Add rel=noopener and enforce cert pinning if you keep the redirect.
References
- CWE-285: Improper Authorization