Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Yanks Docs.com Search After Complaints of Exposed Sensitive Files (zdnet.com)

Posted by msmash on from the security-woes dept.

Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information. From a report on ZDNet: Users had complained over the weekend on Twitter that anyone could use the site's search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private. Among the files reviewed by ZDNet, and seen by others who tweeted about them, included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements -- some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses. The company removed the site's search feature late on Saturday, but others observed that the files were still cached in Google's search results, as well as Microsoft's own search engine, Bing.

55 comments

  1. Information wants to be free by ColdWetDog · · Score: 5, Insightful

    Well, your information, not ours.

    FTFA (and a major WTF)

    All of the documents would have been uploaded by their owners, but they may not have realized that each document could be made public, which is Docs.com's default uploading setting, compared to files created or edited with Word and Excel Online, which are private until set otherwise.

    --
    Faster! Faster! Faster would be better!
    1. Re:Information wants to be free by Wootery · · Score: 1

      That's a serious design-level security bug. Morons.

    2. Re:Information wants to be free by MightyYar · · Score: 4, Interesting

      Maybe, but the site does declare "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free" in like 40-point font at the top of the home page. Why are people using this if they don't want to "showcase"?

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    3. Re: Information wants to be free by Zero__Kelvin · · Score: 1

      It doesn't say "showcase to everyone in the world" so it would be absurd to assume that is what it means. They assumed that could decide to whom they would and would not "showcase" it to.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re: Information wants to be free by MightyYar · · Score: 1

      I can think of better ways to "showcase" my divorce paperwork. YouTube can be used for private videos, too, but the public default does not seem to rankle. It seems like this site was trying to be the "YouTube of documents". It wouldn't surprise me if that's how it got pitched. Anyway, I hope you take a stop over to docs.com and see how grossly unsuited it is to tasks requiring security or discretion. I think this may rank up there with "do not insert into any orifice" labels on curling irons.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  2. Isn't the cloud great? by danomac · · Score: 4, Insightful

    I don't know why people use the cloud to store sensitive documents. It just doesn't seem like a smart thing to do.

    1. Re:Isn't the cloud great? by MightyYar · · Score: 4, Insightful

      Because sometimes it's just sort of "fuck it". You can stress over every move you make online, or you can take reasonable precautions and risk recovering from something like identity theft later on. One of those reasonable precautions should probably be using something reputable and purpose-built like Dropbox or Drive rather than something that proclaims on the front page "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free". Don't use a showcase site for your private files...

      Along the lines of "fuck it", I regularly put my tax documents in Dropbox during tax season. It's reasonably safe, I think, compared to putting them in my pocket in an easily-lost USB stick or on a frequently-stolen laptop. It's not like the physical world is completely safe, either, and Dropbox and Google are going to be better at IT than I am.

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Isn't the cloud great? by Anonymous Coward · · Score: 0

      if it's encrypted at rest and you can turn it off and on at a whim, then i don't see the problem.

    3. Re:Isn't the cloud great? by Anonymous Coward · · Score: 2, Informative

      Ease of use and access. The same reason people do anything.

    4. Re:Isn't the cloud great? by __aaclcg7560 · · Score: 2

      I pulled my data out of the cloud and put it on a file server. It doesn't need to live 24/7 on the Internet.

    5. Re:Isn't the cloud great? by AthanasiusKircher · · Score: 2

      It's reasonably safe, I think, compared to putting them in my pocket in an easily-lost USB stick or on a frequently-stolen laptop.

      Now you have me curious -- just how often is this laptop stolen? How many owners has it had? Why would you want to store anything on such a thing?

      Or is it your laptop, and it's stolen again and again, but you keep recovering it? If so, do you work in some sort of sensitive information industry where somebody keeps deliberately taking your laptop and then making it easy for you to find it again (after they've presumably taken any new data on it, I guess?)?

      I'm really intrigued by this "frequently-stolen laptop" -- sounds like a fascinating story.

    6. Re:Isn't the cloud great? by 140Mandak262Jamuna · · Score: 2

      I pulled my data out of the cloud and put it on a file server. It doesn't need to live 24/7 on the Internet.

      Come on, it has to be. You might not need it. But companies that index and sell information need it to be on the net and be available when their web crawler is on the prowl.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    7. Re:Isn't the cloud great? by danomac · · Score: 1

      Alas, are you *sure* it's still not in the cloud? It probably is, somewhere.

    8. Re:Isn't the cloud great? by thegarbz · · Score: 1

      Because Cloud != open and public necessarily.

      And this is just an example of that. Only documents which were set to public were shared.

      Now why the defaults on cloud providers don't err majorly on the side of caution is another story, but as always there's more too this than "cloud bad hurr hurr hurr"

    9. Re:Isn't the cloud great? by __aaclcg7560 · · Score: 1

      Alas, are you *sure* it's still not in the cloud? It probably is, somewhere.

      That data wasn't as sensitive as the background investigative file for my security clearance that the Chinese stole from OPM a few years ago.

    10. Re:Isn't the cloud great? by mspohr · · Score: 3, Funny

      Research shows that there is a single "frequently stolen laptop" which has been stolen 137 times. This laptop is just a shite laptop which keeps getting stolen from Starbucks but it is so useless that people return it to Starbucks where it is stolen again by new unsuspecting thieves.
      Each thief who tries to use it enters their passwords into Yahoo mail and Facebook but it is so slow that they quickly realize that they are wasting their time and they can't even sell it to their dumb brother. Of course, this laptop contains a festering pile of malware so their passwords are immediately sent to The Great Orange One who reads their email and Tweets conspiracy theories about all of these people sending him sensitive super top secret data... so SAD.

      --
      I don't read your sig. Why are you reading mine?
    11. Re:Isn't the cloud great? by Anonymous Coward · · Score: 1

      Because sometimes it's just sort of "fuck it". You can stress over every move you make online, or you can take reasonable precautions and risk recovering from something like identity theft later on.

      I believe you are right about all of that, and the tradeoffs. The issue I have is that other people do not make that choice wisely when dealing with my info.

      There are times you can say "ok, good enough" and be done with it. But when the risk of exposure causes major problems such as identity theft for a third party, more care should be taken, and people do not always take that care.

    12. Re:Isn't the cloud great? by newbie_fantod · · Score: 1

      Exactly. Google Docs is only one of many cloud services, one that happens to to encourage sharing - it's a weird place to store your tax returns.

    13. Re:Isn't the cloud great? by ugen · · Score: 1

      Same reason they use banks to store money (and not keep them under the mattress in cash).
      However, with that, comes expectation of some duty of care on the part of those storing such information. I.e. - not releasing it to unrelated 3rd parties without appropriate authorization (which depends, in turn, on document type, storage mode and document owner selections). The default should definitely not be "everyone can easily search and read".

    14. Re:Isn't the cloud great? by Voyager529 · · Score: 1

      Because Cloud != open and public necessarily.

      Perhaps not - that's why there's Spideroak and a few others whose MO is storing data on someone else's hard disk, but not the means of accessing it. It may well be possible to use Google Docs and OneDrive and Docs.com and Dropbox securely, but while it's possible to point to individuals and organizations who have had data compromised inadvertently, it's far less common for that to happen to data kept internally. "Default Distrust" is not paranoia, it's a response to reality.

      And this is just an example of that. Only documents which were set to public were shared.

      Now why the defaults on cloud providers don't err majorly on the side of caution is another story,

      I'd argue that it's the same story. If the issue that documents needed to be set to 'private', rather than being set to 'public' without a default-private setting, the distinction between incompetence and malice is basically academic.

      but as always there's more too this than "cloud bad hurr hurr hurr"

      The cloud isn't all bad, but there do need to be very heavily leveraged expectations.

    15. Re:Isn't the cloud great? by MightyYar · · Score: 1

      Yeah, client information is a whole different ball of wax. Hopefully you never get to "fuck it", and instead have a more deliberate process :)

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    16. Re:Isn't the cloud great? by MightyYar · · Score: 1

      Fortunately, it is not only frequently-stolen but the thief happens to be a kleptomaniac nun, and the convent is all too happy to return any stolen goods.

      (Only part of the above is made up.)

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  3. "as well as Microsoft's own search engine, Bing" by Anonymous Coward · · Score: 0

    Now I can Bing those secret files!

    Haha, jk, no one uses Bing.

  4. The homepage of Docs.com states by fattmatt · · Score: 4, Funny

    The homepage of Docs.com states ...
    -Tap below to upload your documents.
    -Later, you can choose who may view your documents.

    How much later is anyone's guess.

  5. Re:"as well as Microsoft's own search engine, Bing by Opportunist · · Score: 4, Funny

    Q: What is Bing?
    A: The sound a MS service makes when it crashes.

    Any Windows user knows it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Privacy in the "Cloud"? What's that? by Frosty+Piss · · Score: 4, Informative

    Never heard of Docs.com, but come on, uploading documents to Microsoft (or worse, Google)? You know some algorithm is looking at them even if some random human cant access them.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Privacy in the "Cloud"? What's that? by Anonymous Coward · · Score: 0

      Perhaps a fair trade for *free* (as in beer) hosting. They ain't
      doing it out of the goodness of their hearts in most cases.

      Me, I encrypt, then upload for anything even moderately private.

  7. You are told multiple times by Anonymous Coward · · Score: 0

    The website says it's to share documentspublicly.

    When you upload a document a large tile says that the Document will be shared with the Public, and you must change that setting to make it private.

    When you click Save you are warned that your settings have Public selected.

    This is the fault of the people that are ignoring the fact Microsoft has told them multiple times the document they are uploading will be public. This is NOT Microsoft's fault, it's the fault of the illiterate and ignorant.

  8. And this Microsoft's fault, how? by Chris+Mattern · · Score: 2

    Stuff you marked as world accessible is world accessible.

    1. Re:And this Microsoft's fault, how? by goombah99 · · Score: 2

      from what it says, it's the default. If so, that's assbackwards.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    2. Re:And this Microsoft's fault, how? by thegarbz · · Score: 3, Insightful

      This is Microsofts fault for two reasons:

      a) the default was backwards.
      b) regardless of what the default was, different defaults existed with different results based on how the file got to docs.com and the filetype, which is a privacy FUBAR in-and-of itself.

    3. Re:And this Microsoft's fault, how? by Anonymous Coward · · Score: 0

      Hold shift key to upload documents with privacy intact unless the document is coming from another web source in which case you hold ctrl key and use shift key to reverse privacy features. Or you could just use right-click and drag during upload to give you the opportunity to explicitly select private or public.

  9. I love Microsoft... by __aaclcg7560 · · Score: 3, Funny

    Microsoft = Job Security. I wouldn't have 20+ year old technical career without Microsoft. I don't expect that to change in the next 20+ years.

  10. If it's open to general internet, it's not secure. by Anonymous Coward · · Score: 1

    If anyone can pop into the search without even so much as logging in to a pseudo-vetted account like google/fb/linkedin or similar, you might as well just put the information in a telephone book and send it out to everyone because that's essentially what you've done.

    Now, there's nothing 'wrong' with that unless the end user has some sort of general expectation of privacy or security. So the question becomes, did MS docs give that illusion to users? How or how not, specifically?

  11. Microsoft restores feature. by goombah99 · · Score: 5, Informative

    this is tacked onto the bottom of the linked article:
    Update on March 27: the search feature has been added back, and is still exposing personal information. Microsoft hasn't explained why it reintroduced the feature again.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Microsoft restores feature. by zlives · · Score: 2

      because its later and the internet should have forgotten about risks already.

  12. Corporate America by Anonymous Coward · · Score: 0

    Shitting all over your privacy. And no one cares.

  13. The feature is back! by 140Mandak262Jamuna · · Score: 1

    Update on March 27: the search feature has been added back, and is still exposing personal information. Microsoft hasn't explained why it reintroduced the feature again.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:The feature is back! by iggymanz · · Score: 1

      perhaps the problem is not Microsoft's doing but idiots using the service and making documents public that are supposed to have restricted permissions?

  14. Docs.com by jmyers · · Score: 2

    The whole point of the site is that you are putting documents there to be seen by everyone, sort of a YouTube for documents. It is a place to "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free". Showcase being the key work, hey everyone in the world, look at my pretty documents.

    I don't think this (for once) in a MS problem.

    1. Re:Docs.com by Anonymous Coward · · Score: 0

      So it's a PDF sharing site?
      An e-book pirate site?
      A self-published site for unedited books by aspiring authors?
      A wikileaks competitor?

      What is even the purpose of a site dedicated to public exposure of boring old documents if not the above?

    2. Re:Docs.com by jmyers · · Score: 1

      Most likely someone at Microsoft had the bright idea (at a bar when they were drinking heavily), hey what if websites were in Microsoft proprietary document formats rather than html. That's the ticket, we will create a public place for people to set up a profile and then host their personal public website in MS document formats. I think that is where it started but the people actually used as place to store files like Google drive.

      The people that used the search feature were probably after all of your points above and instead found a trove of personal information.

    3. Re:Docs.com by Anonymous Coward · · Score: 0

      regardless of what you may think many of us have to write large amounts of documents. I have not looked at Docs.com, but a good repository of publically usable documents that are good examples can save days in the creation process. The problem is always getting the quality in such a repository high enough to make it worthwhile though and I doubt they have this as most people wanting to show off usually have no fucking clue on what makes a good document and those that do don't waste time publishing them for others.

  15. ONLY apps can app apps! by Anonymous Coward · · Score: 0

    Modern app appers know that only apps can app apps, so only LUDDITES want to use the LUDDITE private setting! Modern app appers use the "appy" setting!

    Apps!

  16. Actual dictionary definition: A heaping pile by raymorris · · Score: 1

    The *actual* dictionary definition of "bing" is "a heap or pile". So my question to Microsoft is this "your search engine is a heaping pile of WHAT, exactly?"

    1. Re:Actual dictionary definition: A heaping pile by Cro+Magnon · · Score: 1

      So, MS named it better than I thought?

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  17. Headline is a euphemism? by Anonymous Coward · · Score: 0

    "yanks", "exposed", and "sensitive"?
    Slashdot: too hot for prime time.

  18. Re:"as well as Microsoft's own search engine, Bing by danomac · · Score: 1

    Bing? Bong!

  19. Not a bug. by hduff · · Score: 1

    It's a feature.

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    1. Re:Not a bug. by Anonymous Coward · · Score: 0

      In this case absolutely. The whole site is about publishing your documents, the site tells you many times. sadly, as with many things though, user ignorance trumps all.

  20. To be fair, it warns you like 3-4 times... by slacklinejoe · · Score: 1

    As a user of Docs.com, I'm not sure how users would realize that the site isn't public by default... It warns you in big banners that it's a public docs site for publishing product manuals or other public consumption items that aren't websites but you want to provide links to or where folks can search for it. You can limit it down for personal, but that if you wanted that, you'd use one of the many other services on the exact same menu like OneDrive or SharePoint.

  21. Keep your data out of the cloud by uncoveror · · Score: 1

    Store everything locally.

    --
    The Uncoveror: It's the real news.
  22. Blankety Blank Blank by Anonymous Coward · · Score: 0

    Welcome to /.
    Now with 33% more blank ad space instead of content.