This post describes a security design flaw that I found last year in Google Sheets. While this isn’t a traditional security bug, it could still create vulnerability for users and is a good example of how surprising behavior can violate users’ security expectations. In summary: contrary to the expectation set by the UI, both hidden columns and hidden sheets in shared Google Sheets documents can be viewed by anyone who can access the document, even by read-only users when exports are disabl...
