Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Privacy Security The Internet

Microsoft Yanks Docs.com Search After Complaints of Exposed Sensitive Files (zdnet.com) 55

Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information. From a report on ZDNet: Users had complained over the weekend on Twitter that anyone could use the site's search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private. Among the files reviewed by ZDNet, and seen by others who tweeted about them, included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements -- some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses. The company removed the site's search feature late on Saturday, but others observed that the files were still cached in Google's search results, as well as Microsoft's own search engine, Bing.
This discussion has been archived. No new comments can be posted.

Microsoft Yanks Docs.com Search After Complaints of Exposed Sensitive Files

Comments Filter:
  • by ColdWetDog ( 752185 ) on Monday March 27, 2017 @10:22AM (#54118817) Homepage

    Well, your information, not ours.

    FTFA (and a major WTF)

    All of the documents would have been uploaded by their owners, but they may not have realized that each document could be made public, which is Docs.com's default uploading setting, compared to files created or edited with Word and Excel Online, which are private until set otherwise.

    • That's a serious design-level security bug. Morons.

      • by MightyYar ( 622222 ) on Monday March 27, 2017 @10:37AM (#54118941)

        Maybe, but the site does declare "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free" in like 40-point font at the top of the home page. Why are people using this if they don't want to "showcase"?

        • It doesn't say "showcase to everyone in the world" so it would be absurd to assume that is what it means. They assumed that could decide to whom they would and would not "showcase" it to.
          • I can think of better ways to "showcase" my divorce paperwork. YouTube can be used for private videos, too, but the public default does not seem to rankle. It seems like this site was trying to be the "YouTube of documents". It wouldn't surprise me if that's how it got pitched. Anyway, I hope you take a stop over to docs.com and see how grossly unsuited it is to tasks requiring security or discretion. I think this may rank up there with "do not insert into any orifice" labels on curling irons.

    • by goombah99 ( 560566 ) on Monday March 27, 2017 @11:01AM (#54119113)

      this is tacked onto the bottom of the linked article:
      Update on March 27: the search feature has been added back, and is still exposing personal information. Microsoft hasn't explained why it reintroduced the feature again.

  • by danomac ( 1032160 ) on Monday March 27, 2017 @10:23AM (#54118827)

    I don't know why people use the cloud to store sensitive documents. It just doesn't seem like a smart thing to do.

    • by MightyYar ( 622222 ) on Monday March 27, 2017 @10:32AM (#54118879)

      Because sometimes it's just sort of "fuck it". You can stress over every move you make online, or you can take reasonable precautions and risk recovering from something like identity theft later on. One of those reasonable precautions should probably be using something reputable and purpose-built like Dropbox or Drive rather than something that proclaims on the front page "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free". Don't use a showcase site for your private files...

      Along the lines of "fuck it", I regularly put my tax documents in Dropbox during tax season. It's reasonably safe, I think, compared to putting them in my pocket in an easily-lost USB stick or on a frequently-stolen laptop. It's not like the physical world is completely safe, either, and Dropbox and Google are going to be better at IT than I am.

      • It's reasonably safe, I think, compared to putting them in my pocket in an easily-lost USB stick or on a frequently-stolen laptop.

        Now you have me curious -- just how often is this laptop stolen? How many owners has it had? Why would you want to store anything on such a thing?

        Or is it your laptop, and it's stolen again and again, but you keep recovering it? If so, do you work in some sort of sensitive information industry where somebody keeps deliberately taking your laptop and then making it easy for you to find it again (after they've presumably taken any new data on it, I guess?)?

        I'm really intrigued by this "frequently-stole

        • by mspohr ( 589790 ) on Monday March 27, 2017 @11:46AM (#54119511)

          Research shows that there is a single "frequently stolen laptop" which has been stolen 137 times. This laptop is just a shite laptop which keeps getting stolen from Starbucks but it is so useless that people return it to Starbucks where it is stolen again by new unsuspecting thieves.
          Each thief who tries to use it enters their passwords into Yahoo mail and Facebook but it is so slow that they quickly realize that they are wasting their time and they can't even sell it to their dumb brother. Of course, this laptop contains a festering pile of malware so their passwords are immediately sent to The Great Orange One who reads their email and Tweets conspiracy theories about all of these people sending him sensitive super top secret data... so SAD.

        • Fortunately, it is not only frequently-stolen but the thief happens to be a kleptomaniac nun, and the convent is all too happy to return any stolen goods.

          (Only part of the above is made up.)

      • by Anonymous Coward

        Because sometimes it's just sort of "fuck it". You can stress over every move you make online, or you can take reasonable precautions and risk recovering from something like identity theft later on.

        I believe you are right about all of that, and the tradeoffs. The issue I have is that other people do not make that choice wisely when dealing with my info.

        There are times you can say "ok, good enough" and be done with it. But when the risk of exposure causes major problems such as identity theft for a third party, more care should be taken, and people do not always take that care.

        • Yeah, client information is a whole different ball of wax. Hopefully you never get to "fuck it", and instead have a more deliberate process :)

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Ease of use and access. The same reason people do anything.

    • I pulled my data out of the cloud and put it on a file server. It doesn't need to live 24/7 on the Internet.
      • I pulled my data out of the cloud and put it on a file server. It doesn't need to live 24/7 on the Internet.

        Come on, it has to be. You might not need it. But companies that index and sell information need it to be on the net and be available when their web crawler is on the prowl.

      • Alas, are you *sure* it's still not in the cloud? It probably is, somewhere.

        • Alas, are you *sure* it's still not in the cloud? It probably is, somewhere.

          That data wasn't as sensitive as the background investigative file for my security clearance that the Chinese stole from OPM a few years ago.

    • Because Cloud != open and public necessarily.

      And this is just an example of that. Only documents which were set to public were shared.

      Now why the defaults on cloud providers don't err majorly on the side of caution is another story, but as always there's more too this than "cloud bad hurr hurr hurr"

      • Exactly. Google Docs is only one of many cloud services, one that happens to to encourage sharing - it's a weird place to store your tax returns.

      • Because Cloud != open and public necessarily.

        Perhaps not - that's why there's Spideroak and a few others whose MO is storing data on someone else's hard disk, but not the means of accessing it. It may well be possible to use Google Docs and OneDrive and Docs.com and Dropbox securely, but while it's possible to point to individuals and organizations who have had data compromised inadvertently, it's far less common for that to happen to data kept internally. "Default Distrust" is not paranoia, it's a response to reality.

        And this is just an example of that. Only documents which were set to public were shared.

        Now why the defaults on cloud providers don't err majorly on the side of caution is another story,

        I'd argue that it's the same stor

    • by ugen ( 93902 )

      Same reason they use banks to store money (and not keep them under the mattress in cash).
      However, with that, comes expectation of some duty of care on the part of those storing such information. I.e. - not releasing it to unrelated 3rd parties without appropriate authorization (which depends, in turn, on document type, storage mode and document owner selections). The default should definitely not be "everyone can easily search and read".

  • by fattmatt ( 1042156 ) on Monday March 27, 2017 @10:29AM (#54118863)

    The homepage of Docs.com states ...
    -Tap below to upload your documents.
    -Later, you can choose who may view your documents.

    How much later is anyone's guess.

  • by Frosty Piss ( 770223 ) * on Monday March 27, 2017 @10:31AM (#54118875)

    Never heard of Docs.com, but come on, uploading documents to Microsoft (or worse, Google)? You know some algorithm is looking at them even if some random human cant access them.

  • by Chris Mattern ( 191822 ) on Monday March 27, 2017 @10:38AM (#54118943)

    Stuff you marked as world accessible is world accessible.

  • by __aaclcg7560 ( 824291 ) on Monday March 27, 2017 @10:39AM (#54118951)
    Microsoft = Job Security. I wouldn't have 20+ year old technical career without Microsoft. I don't expect that to change in the next 20+ years.
  • If anyone can pop into the search without even so much as logging in to a pseudo-vetted account like google/fb/linkedin or similar, you might as well just put the information in a telephone book and send it out to everyone because that's essentially what you've done.

    Now, there's nothing 'wrong' with that unless the end user has some sort of general expectation of privacy or security. So the question becomes, did MS docs give that illusion to users? How or how not, specifically?

  • Update on March 27: the search feature has been added back, and is still exposing personal information. Microsoft hasn't explained why it reintroduced the feature again.

    • perhaps the problem is not Microsoft's doing but idiots using the service and making documents public that are supposed to have restricted permissions?

  • by jmyers ( 208878 ) on Monday March 27, 2017 @12:16PM (#54119743)

    The whole point of the site is that you are putting documents there to be seen by everyone, sort of a YouTube for documents. It is a place to "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free". Showcase being the key work, hey everyone in the world, look at my pretty documents.

    I don't think this (for once) in a MS problem.

  • It's a feature.

  • As a user of Docs.com, I'm not sure how users would realize that the site isn't public by default... It warns you in big banners that it's a public docs site for publishing product manuals or other public consumption items that aren't websites but you want to provide links to or where folks can search for it. You can limit it down for personal, but that if you wanted that, you'd use one of the many other services on the exact same menu like OneDrive or SharePoint.
  • Store everything locally.

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...