Drive API Update

Good morning everyone,

did anyone else receive an email about Drive API requires updates to your code before Sep 13, 2021?

"Hello Google Drive Developer,

We have identified you as a Developer who has used the Drive API in the last 30 days. We are writing to let you know that on September 13, 2021, Drive will apply a security update that will change the links used to share some files, and may lead to some new file access requests. Access to files won’t change for people who have already viewed or modified these files.

Please update your code as detailed below before September 13, 2021, to avoid failing requests. "

2 Likes

I guess everyone who set up a developer account in order to create and use their own Google Drive client ID will have got this email. But as most will not actually have developed any associated application, I'm assuming we don't need to do anything.

Am I right?

I received the same e-mail too. It's quite technical and I wonder whether any manual intervention is required, considering rclone is listed at the end of the e-mail (at least for me):

Which projects may be affected?
Your projects that have used the Drive API in the last 30 days and may be affected by this change are below:

  • rclone (rclone-...........)
1 Like

it is indeed.
they dont say if the project (rclone) will be affected but lets wait on more replys :slight_smile:

Hi,

I'm wondering as well, if we have to do something beforehand.

To avoid errors accessing files, you must update your code for accessing files to include the appropriate resource keys

For me: The worst that can happen, my backup will not run after the 13th, but this is not really critical.

This change is all about the Security update for Google Drive. Please google it, because I'm not allowed to insert a link here: Sorry, you can't include links in your posts.

If you're sharing files with Google Drive this Security update will affect you as well.

Last but not least: The listed project at the end of the mail, is the name of the project you chose back in the day. It's just a coincidence that you named it rclone. For me it's a completely different name.

Hello everyone,

I got the same email. Here's a full, redacted copy:

I actually got 2 of these messages, one for each account I have 'registered as a Google Developer'.

I strongly suspect that:

  1. This is related to the recent "easy-to-guess Google Drive links exploit" Google has been patching as of late, and that has been widely reported in the tech press (e.g.);

  2. We are receiving these emails because, as we once accessed the Developer's Console to create a Google Drive API key for rclone (as instructed by rclone's Google Drive instructions), Google now considers us to be "developers".

  3. Impact on rclone will be minimal: AFAIK, rclone do not use the affected functionality directly, and only Google Documents/Sheets copied to local storage and/or mounted with the --drive-export-formats= followed by one of the acceptable extensions (desktop, link.html, url, webloc) will be affected, in the sense that they will have to be re-exported/re-copied/re-mounted after rclone implements the Google-mandated changes (I strongly suspect rclone will have to be updated to handle them).

@ncw, can you please confirm/fix/append to my summary above?

Thanks,
-- Durval.

2 Likes

Wondering the same thing. Following.

I'm not using rclone yet, but it is something we certainly see potential for. We have been a Google company for many years and I certainly received this 'developer' message as well as seeing that the links for several of my Drive files have been made more secure already!

Here is what I can see so far and it does seem to be inline with the documentation at various sites.

  1. This does not apply to native Google files (Docs/Sheets/Slides etc), however it does apply to folders
  2. It does apply to files uploaded to Drive like PDFs, PNGs, MS Office files
  3. It only applies to files which have been shared to everybody using a link (this means 'external' shares if you are part of gapps/gsuite/workspace etc)
  4. It does not apply to files shared by link within your gapps/gsuite/workspace domain
  5. The additional security component, the 'resourcekey', has actually been added to all files shared in this way since late 2017 (the most recent of my files that is affected is dated Oct 25, 2017)

So for most people, this only matters if you have old, non-Google files, shared by link across the Internet. Even then it will apparently only matter if the person attempting to access the file has not done so already.

I don't know exactly how rclone works, but I would expect any changes to be minimal as it appears to be interacting as a service account or impersonating an internal user, so it shouldn't ever have to worry about external shares and links.0

4 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.