Microsoft Yanks Docs.com Search After Complaints of Exposed Sensitive Files (zdnet.com) 55
Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information. From a report on ZDNet: Users had complained over the weekend on Twitter that anyone could use the site's search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private. Among the files reviewed by ZDNet, and seen by others who tweeted about them, included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements -- some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses. The company removed the site's search feature late on Saturday, but others observed that the files were still cached in Google's search results, as well as Microsoft's own search engine, Bing.
Information wants to be free (Score:5, Insightful)
Well, your information, not ours.
FTFA (and a major WTF)
All of the documents would have been uploaded by their owners, but they may not have realized that each document could be made public, which is Docs.com's default uploading setting, compared to files created or edited with Word and Excel Online, which are private until set otherwise.
Re: (Score:2)
That's a serious design-level security bug. Morons.
Re:Information wants to be free (Score:5, Interesting)
Maybe, but the site does declare "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free" in like 40-point font at the top of the home page. Why are people using this if they don't want to "showcase"?
Re: Information wants to be free (Score:1)
Re: (Score:2)
I can think of better ways to "showcase" my divorce paperwork. YouTube can be used for private videos, too, but the public default does not seem to rankle. It seems like this site was trying to be the "YouTube of documents". It wouldn't surprise me if that's how it got pitched. Anyway, I hope you take a stop over to docs.com and see how grossly unsuited it is to tasks requiring security or discretion. I think this may rank up there with "do not insert into any orifice" labels on curling irons.
Microsoft restores feature. (Score:5, Informative)
this is tacked onto the bottom of the linked article:
Update on March 27: the search feature has been added back, and is still exposing personal information. Microsoft hasn't explained why it reintroduced the feature again.
Re: (Score:3)
because its later and the internet should have forgotten about risks already.
Isn't the cloud great? (Score:5, Insightful)
I don't know why people use the cloud to store sensitive documents. It just doesn't seem like a smart thing to do.
Re:Isn't the cloud great? (Score:5, Insightful)
Because sometimes it's just sort of "fuck it". You can stress over every move you make online, or you can take reasonable precautions and risk recovering from something like identity theft later on. One of those reasonable precautions should probably be using something reputable and purpose-built like Dropbox or Drive rather than something that proclaims on the front page "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free". Don't use a showcase site for your private files...
Along the lines of "fuck it", I regularly put my tax documents in Dropbox during tax season. It's reasonably safe, I think, compared to putting them in my pocket in an easily-lost USB stick or on a frequently-stolen laptop. It's not like the physical world is completely safe, either, and Dropbox and Google are going to be better at IT than I am.
Re: (Score:3)
It's reasonably safe, I think, compared to putting them in my pocket in an easily-lost USB stick or on a frequently-stolen laptop.
Now you have me curious -- just how often is this laptop stolen? How many owners has it had? Why would you want to store anything on such a thing?
Or is it your laptop, and it's stolen again and again, but you keep recovering it? If so, do you work in some sort of sensitive information industry where somebody keeps deliberately taking your laptop and then making it easy for you to find it again (after they've presumably taken any new data on it, I guess?)?
I'm really intrigued by this "frequently-stole
Re:Isn't the cloud great? (Score:4, Funny)
Research shows that there is a single "frequently stolen laptop" which has been stolen 137 times. This laptop is just a shite laptop which keeps getting stolen from Starbucks but it is so useless that people return it to Starbucks where it is stolen again by new unsuspecting thieves.
Each thief who tries to use it enters their passwords into Yahoo mail and Facebook but it is so slow that they quickly realize that they are wasting their time and they can't even sell it to their dumb brother. Of course, this laptop contains a festering pile of malware so their passwords are immediately sent to The Great Orange One who reads their email and Tweets conspiracy theories about all of these people sending him sensitive super top secret data... so SAD.
Re: (Score:2)
Fortunately, it is not only frequently-stolen but the thief happens to be a kleptomaniac nun, and the convent is all too happy to return any stolen goods.
(Only part of the above is made up.)
Re: (Score:1)
Because sometimes it's just sort of "fuck it". You can stress over every move you make online, or you can take reasonable precautions and risk recovering from something like identity theft later on.
I believe you are right about all of that, and the tradeoffs. The issue I have is that other people do not make that choice wisely when dealing with my info.
There are times you can say "ok, good enough" and be done with it. But when the risk of exposure causes major problems such as identity theft for a third party, more care should be taken, and people do not always take that care.
Re: (Score:2)
Yeah, client information is a whole different ball of wax. Hopefully you never get to "fuck it", and instead have a more deliberate process :)
Re: (Score:2, Informative)
Ease of use and access. The same reason people do anything.
Re: (Score:3)
Re: (Score:3)
I pulled my data out of the cloud and put it on a file server. It doesn't need to live 24/7 on the Internet.
Come on, it has to be. You might not need it. But companies that index and sell information need it to be on the net and be available when their web crawler is on the prowl.
Re: (Score:2)
Alas, are you *sure* it's still not in the cloud? It probably is, somewhere.
Re: (Score:2)
Alas, are you *sure* it's still not in the cloud? It probably is, somewhere.
That data wasn't as sensitive as the background investigative file for my security clearance that the Chinese stole from OPM a few years ago.
Re: (Score:2)
Because Cloud != open and public necessarily.
And this is just an example of that. Only documents which were set to public were shared.
Now why the defaults on cloud providers don't err majorly on the side of caution is another story, but as always there's more too this than "cloud bad hurr hurr hurr"
Re: (Score:2)
Exactly. Google Docs is only one of many cloud services, one that happens to to encourage sharing - it's a weird place to store your tax returns.
Re: (Score:2)
Because Cloud != open and public necessarily.
Perhaps not - that's why there's Spideroak and a few others whose MO is storing data on someone else's hard disk, but not the means of accessing it. It may well be possible to use Google Docs and OneDrive and Docs.com and Dropbox securely, but while it's possible to point to individuals and organizations who have had data compromised inadvertently, it's far less common for that to happen to data kept internally. "Default Distrust" is not paranoia, it's a response to reality.
And this is just an example of that. Only documents which were set to public were shared.
Now why the defaults on cloud providers don't err majorly on the side of caution is another story,
I'd argue that it's the same stor
Re: (Score:2)
Same reason they use banks to store money (and not keep them under the mattress in cash).
However, with that, comes expectation of some duty of care on the part of those storing such information. I.e. - not releasing it to unrelated 3rd parties without appropriate authorization (which depends, in turn, on document type, storage mode and document owner selections). The default should definitely not be "everyone can easily search and read".
Re:"as well as Microsoft's own search engine, Bing (Score:5, Funny)
Q: What is Bing?
A: The sound a MS service makes when it crashes.
Any Windows user knows it.
Actual dictionary definition: A heaping pile (Score:2)
The *actual* dictionary definition of "bing" is "a heap or pile". So my question to Microsoft is this "your search engine is a heaping pile of WHAT, exactly?"
Re: (Score:2)
So, MS named it better than I thought?
Re: (Score:2)
Bing? Bong!
The homepage of Docs.com states (Score:4, Funny)
The homepage of Docs.com states ...
-Tap below to upload your documents.
-Later, you can choose who may view your documents.
How much later is anyone's guess.
Privacy in the "Cloud"? What's that? (Score:5, Informative)
Never heard of Docs.com, but come on, uploading documents to Microsoft (or worse, Google)? You know some algorithm is looking at them even if some random human cant access them.
And this Microsoft's fault, how? (Score:3)
Stuff you marked as world accessible is world accessible.
Re: (Score:3)
from what it says, it's the default. If so, that's assbackwards.
Re:And this Microsoft's fault, how? (Score:4, Insightful)
This is Microsofts fault for two reasons:
a) the default was backwards.
b) regardless of what the default was, different defaults existed with different results based on how the file got to docs.com and the filetype, which is a privacy FUBAR in-and-of itself.
I love Microsoft... (Score:4, Funny)
If it's open to general internet, it's not secure. (Score:1)
If anyone can pop into the search without even so much as logging in to a pseudo-vetted account like google/fb/linkedin or similar, you might as well just put the information in a telephone book and send it out to everyone because that's essentially what you've done.
Now, there's nothing 'wrong' with that unless the end user has some sort of general expectation of privacy or security. So the question becomes, did MS docs give that illusion to users? How or how not, specifically?
The feature is back! (Score:2)
Update on March 27: the search feature has been added back, and is still exposing personal information. Microsoft hasn't explained why it reintroduced the feature again.
Re: (Score:2)
perhaps the problem is not Microsoft's doing but idiots using the service and making documents public that are supposed to have restricted permissions?
Docs.com (Score:3)
The whole point of the site is that you are putting documents there to be seen by everyone, sort of a YouTube for documents. It is a place to "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free". Showcase being the key work, hey everyone in the world, look at my pretty documents.
I don't think this (for once) in a MS problem.
Re: (Score:2)
Most likely someone at Microsoft had the bright idea (at a bar when they were drinking heavily), hey what if websites were in Microsoft proprietary document formats rather than html. That's the ticket, we will create a public place for people to set up a profile and then host their personal public website in MS document formats. I think that is where it started but the people actually used as place to store files like Google drive.
The people that used the search feature were probably after all of your point
Not a bug. (Score:2)
It's a feature.
To be fair, it warns you like 3-4 times... (Score:1)
Keep your data out of the cloud (Score:2)