Notebookcheck

Publicly-shared documents hosted on Docs.com expose sensitive information

With the Docs.com search box, users can find any publicly-shared sensitive information. (Source: Docs.com)
With the Docs.com search box, users can find any publicly-shared sensitive information. (Source: Docs.com)
Researchers as well as everyday users have discovered a trove of easily-accessible sensitive information on Docs.com. From phone numbers to social security numbers, the info is just a quick search away, open for malicious actors to steal and exploit.

Some things are not meant to be shared, at least not with the public. Passwords, addresses, bank account numbers—these types of information are best kept private. But if they must be shared, it should be done securely (and usually is).

Unfortunately, security researcher Kevin Beaumont recently discovered that this was not the case for hundreds of files on Docs.com, Microsoft's document sharing site. The files found by Beaumont contained sensitive information but were shared publicly on the site. This meant that they were being publicly indexed and could be found with Docs.com's search function or by search engines such as Google, allowing anyone to access them and their contents.

Beaumont posted his discovery on social media, which led other researchers as well as curious people to investigate further. They found even more documents with sensitive info—names and phone numbers, as well as social security numbers, gathered by debt collectors; physicians' medical data, including photos; maintenance login info for various security devices; and even login data for administrator e-mails were discovered.

The findings forced Microsoft to disable the Docs.com search box on the homepage; it was still accessible from other Docs.com pages, however. Eventually, the search box was disabled site-wide. However, because the affected documents had been publicly indexed, a Google search could still pull them up. Microsoft responded by blocking all incoming links from Google searches.

As of now, the Docs.com search function is back, along with access to the publicly-shared documents. Microsoft has not yet announced a fix for this problem. At the moment, the best thing Docs.com users can do is to make sure any documents with sensitive information are set to "limited" or "organization" access.

Source(s)

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2017 03 > Publicly-shared documents hosted on Docs.com expose sensitive information
John Garcia, 2017-03-27 (Update: 2017-03-27)
John Garcia
John Garcia - News Editor
Notebooks, tablets, smartphones, handheld consoles—if it's a computer you can carry with you, then it's in my wheelhouse. I started my journey in tech journalism as a writer for a mobile games website. But the allure of covering hardware soon won me over, so now I'm here at Notebookcheck, sharing my passion with similarly passionate individuals.