Critical Workaround: Students bypassing Safe Doc via instant Drive ownership transfers

28 views
Skip to first unread message

M Tauber

unread,
Feb 23, 2026, 7:41:19 PMFeb 23
to safedoc-...@xfanatical.com
Hi everyone,
I wanted to flag a creative loophole students in our SOS have discovered to bypass Safe Doc’s document restrictions, and suggest a logical addition to Safe Doc's feature set that could permanently patch it.
The Setup
We are heavily utilizing the Safe Doc policy that prevents students from opening any Google Drive file unless it is owned by a whitelisted OU (Staff/Teachers). This is critical for preventing unmonitored chat rooms and rogue collaboration documents.
The Exploit
Students have figured out a way to "launder" the document ownership. They create a blank file, share it with a whitelisted teacher, and immediately click "Transfer Ownership."
Because internal Google Workspace transfers are instantaneous and do not require the teacher to click "Accept," the file officially belongs to the teacher the second the student clicks the button. Safe Doc sees a "teacher-owned" file and grants access, leaving the students with a fully unmonitored, open document that the teacher likely doesn't even know exists.
The Google Admin Catch-22
We cannot fix this natively in the Google Admin console. Workspace permanently links the "Transfer Ownership" capability with standard sharing permissions.
If we leave sharing open, the loophole remains.
If we use Trust Rules to completely block students from sharing files with the Staff OU, we physically break Google Classroom (students lose the ability to "Turn In" assignments).
The Feature Request
Since Safe Doc already utilizes a Service Account with Domain-Wide Delegation to manage and revert other sharing settings, the infrastructure to patch this seems to already be in place.
Would it be possible to add a feature that actively monitors for this specific ownership transfer event? If Safe Doc could automatically intercept that transfer and instantly revert the ownership back to the student, the standard Safe Doc block would immediately kick back in.
This would surgically close a major blind spot without forcing admins to break Google Classroom workflows. Would love to hear if other admins are seeing this in their environments and if the dev team thinks this is a viable addition!

Jason Huang

unread,
Feb 24, 2026, 2:53:59 PMFeb 24
to xFanatical Safe Doc Community, mta...@shluchim.school
Hello, sorry to hear about the issue with students finding loopholes to share Google documents with each other. 
We will look into the Drive file ownership monitoring solution you mentioned. This would be more technically feasible within our Foresight product.
In the meantime, Safe Doc offers a couple of policies that could serve as workarounds.
  • BlockTransferOwnership. This policy disables the Transfer Ownership feature in Google Drive sharing. 
    Transfer-ownership-menu-item-in-Google-Drive-share-dialog.png
    To enable the policy, set the policy as follows
    "BlockTransferOwnership": {
      "Value": true
    }
  • BlockDriveShare. This policy disables the Google Drive sharing feature across Drive and Docs, but still allowing students submitting Google Drive files to Google Classroom assignments. 
    To enable the policy, set the policy as follows
    "BlockDriveShare": {
      "Value": true
    }
Would these two policies help mitigate the issue?
Thank you.

Reply all
Reply to author
Forward
0 new messages