Publicly-shared documents hosted on Docs.com expose sensitive information

Some things are not meant to be shared, at least not with the public. Passwords, addresses, bank account numbers—these types of information are best kept private. But if they must be shared, it should be done securely (and usually is).

Unfortunately, security researcher Kevin Beaumont recently discovered that this was not the case for hundreds of files on Docs.com, Microsoft's document sharing site. The files found by Beaumont contained sensitive information but were shared publicly on the site. This meant that they were being publicly indexed and could be found with Docs.com's search function or by search engines such as Google, allowing anyone to access them and their contents.

Beaumont posted his discovery on social media, which led other researchers as well as curious people to investigate further. They found even more documents with sensitive info—names and phone numbers, as well as social security numbers, gathered by debt collectors; physicians' medical data, including photos; maintenance login info for various security devices; and even login data for administrator e-mails were discovered.

The findings forced Microsoft to disable the Docs.com search box on the homepage; it was still accessible from other Docs.com pages, however. Eventually, the search box was disabled site-wide. However, because the affected documents had been publicly indexed, a Google search could still pull them up. Microsoft responded by blocking all incoming links from Google searches.

As of now, the Docs.com search function is back, along with access to the publicly-shared documents. Microsoft has not yet announced a fix for this problem. At the moment, the best thing Docs.com users can do is to make sure any documents with sensitive information are set to "limited" or "organization" access.

Source(s)