The Expert's View with Jeremy Kirk

Data Loss Prevention (DLP) , Governance & Risk Management

Microsoft's Docs.com Leaks Personal Information

Bad UI Design Combined with Inattentive Users = Inadvertent Breach
Microsoft's Docs.com Leaks Personal Information

Microsoft's Docs.com file-sharing service has been an open window to viewing people's personal data. The company appears to have taken some steps to contain the exposure, but those watching closely say sensitive personal information can still be found via search engines.

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

Docs.com is designed as an online repository that lets people to share their data easily with others. The site also has a search function to find files.

A U.K.-based researcher, Kevin Beaumont, began searching for sensitive terms and turned up a raft of worrying data, including password lists, bank account details, Social Security numbers.

He jokingly dubbed Docs.com as Dox.com, a reference to the practice of doxing, where hackers publish sensitive information online against the wishes of a victim.

"People clearly don't understand how the service works," he writes on Twitter.

Poor UI Design

The data exposure isn't the result of a direct error by Microsoft. Rather, it would appear that some people aren't aware that documents uploaded to docs.com are made public by default. That's unlike other file uploading services that default to private access.

Docs.com displays a preview of a newly uploaded document. There's a left hand panel of controls that lets users add a description and author. But you have to scroll down to see a warning that the document will be public by default. The top third of the panel shows a save button that publishes the document to the web.

To keep the document off the public web, a user has to choose the "limited" option, which only allows those who have a direct link to the document to view it.

Cached Data

Since Beaumont began tweeting about the problems on March 24, it appears Microsoft has taken action. The company removed the search feature from docs.com for a while, but for some inexplicable reason, reintroduced it.

As such, it is still possible to find documents with information that it's plausible to assume users would not want exposed. Since the documents have been exposed to the internet, search engines may have cached some of the data. As of March 28, it was possible to use Google to do a site-specific search of docs.com and retrieve data whose owners probably don't realize is public.

Microsoft officials aren't getting into the details of how it is handling the leak. It does appear that some docs.com accounts with flagrant personal information have been flagged, as documents that show up in a Google search can't be rendered.

"As part of our commitment to protect customers, we're taking steps to help those who may have inadvertently published documents with sensitive information," Microsoft says in an email statement. "Customers can review and update their settings by logging into their account at www.docs.com."

Enforce the Safer Option

Microsoft may not be directly responsible for the data leakage, but it definitely made some horrendous design choices. Clearly, making documents public by default was a bad decision.

The security community knows well that lightly enforcing the safer option is always best. It's unreasonable to expect that users are going to carefully examine any UI interface and choose the safest option.

While the ultimate fault does rest with users here, Microsoft should have seen this coming.



About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.