Rodney Beede
business2008+YouMustAddThisPlusPart@NOSPAM@rodneybeede (add the missing dot here) com

Uses JavaScript JSON loading to send the content via same idea as CSRF. Combination of CSRF and JSON Hijacking.


  1. The attacker must know the target Google Spreadsheet file ID (not hard to obtain; this PoC limited on purpose to avoid script kiddies)
  2. Requires victim to be tricked into viewing the page content although it could be a hidden iframe. Use of advertising networks is still an option too. Watering hole attack
  3. Useful for an attacker who perhaps used to have access to a document but later had it revoked. Think of a business employee no longer with the company.

    Mitigation: After removing someone's access to a document make a copy of the existing document, delete (and purge from trash) the original, and reference only the new document's ID. Also try not to visit sites with hidden content (hard in this age).