Google Drive Desktop App Flaw Could Expose Sensitive Data on Shared PCs

Cybersecurity researchers have disclosed a critical flaw in the Google Drive Desktop app for Windows. The vulnerability allows any logged-in user on a shared device to access another person’s data without re-entering credentials.

How does the Google Drive flaw work?

This vulnerability (CVE-2025-5150) in the Google Drive desktop app arises from how the application handles cached data in the local file system. Specifically, the app stores user data in a folder called DriveFS, which is not securely isolated per user. This means that if someone has access to a shared Windows machine, they can copy another user’s DriveFS cache folder and paste it into their own profile. When the app restarts, it blindly trusts the contents of the cache and mounts the other user’s drive without requiring any re-authentication.

Essentially, this flaw is a failure in session and identity validation. The application assumes that the presence of a cache folder implies authorized access, without verifying whether the current user is the rightful owner of that data. This breaks fundamental security principles like zero trust and encryption at rest, which makes it possible for unauthorized users to access, modify, or delete sensitive content on shared systems.

Security researchers have tested this vulnerability using the Google Drive desktop app version 112.0.3.0. The flaw allows unauthorized access to Google Drive data without requiring a password or login, and access persists even if sync is paused.

This Google Drive vulnerability poses a serious risk in shared environments like offices or universities. It could enable any user with local access to potentially steal, alter, or delete another user’s files.

Recommended mitigation steps for IT admins

Organizations can mitigate the risks posed by this vulnerability by implementing strict access controls and usage policies for the Google Drive desktop app. They should avoid deploying the app on shared or public machines where multiple users have access. Instead, Google Drive should be restricted to dedicated, trusted devices with individual user profiles and proper permission settings to prevent unauthorized access to local files.

Additionally, IT administrators should enforce regular clearing of cached data, especially before switching users on a device. Moreover, they can use endpoint management tools to monitor and restrict the installation and usage of the Google Drive desktop app. It’s also recommended to educate employees about the risks of local caching and encourage the use of browser-based Drive access on shared systems to reduce exposure further.