Docs.com Search Removed After Trawling Revealed

Topic

New Reply

Microsoft yanks Docs.com search after complaints of exposed sensitive files

http://www.zdnet.com/article/microsoft-yanks-docs-com-search-after-complaints-of-exposed-sensitive-files

Microsoft’s document sharing site, docs.com, had a site search box that was allowing access to publicly-accessible files stored on the site, which were clearly meant to remain private. Microsoft itself has not suffered a security breach, but it’s users have inadvertantly been subjected to one.

Even though the search feature was removed over the weekend, the results are apparently still appearing in search engines, according to the zdnet.com article linked above.

3 users thanked author for this post.

Elly, satrow, Noel Carboni

Reply | Quote

Replies

It’s kind of along the lines of what common sense thinkers have always known:

Send your data to the cloud (aka to someone else’s server) only if you want it seen by… Someone else.

Lessons?
Obscurity is not security. Trust should not be given lightly. When you assume you make an…

-Noel

Reply | Quote

How did this involve obscurity? (Docs.com says “Showcase …” as its first word.)

The article has a footnote that indicates the search feature was restored today.

Reply | Quote

“Update on March 27: the search feature has been added back, and is still exposing personal information. Microsoft hasn’t explained why it reintroduced the feature again.”

2 users thanked author for this post.

Elly, Kirsty

Reply | Quote

Thanks for quoting, without comment, what I had already read and referred to. Very useful.

Reply | Quote

Useful for others, your comment might have misled people into thinking search was now fixed and no longer revealing private file contents, which is clearly not the case if the report is accurate.

Reply | Quote

I don’t think search was ever broken. It’s a public publishing/sharing site by default:

Why should I share my content on Docs.com?
It’s the best way to get your work noticed and gain a broader audience.
Frequently Asked Questions about Docs.com

Reply | Quote

Perhaps the following wasn’t made clear enough, or advertising was aimed at those who aren’t very Cloud savvy?

A lot of PC users are still pretty clueless when it comes to privacy and security, Cloud sites would be better if they were private only to begin with, users would then need to find out about the various degrees of visibility/sharing.

Heck, most MS Office users probably have no clue about the hidden data in their documents either.

“Who can see my documents?

For anything that you publish on Docs.com, you can set the visibility of your documents or collections to either Public or Limited.

Anything you publish with Public visibility will appear in worldwide search engine results and can be shared by you and others on social media sites. This option is a great way to get your work noticed. On the other hand, anything you publish with Limited visibility does not appear in search engine results and can be viewed only by people with whom a direct link to your content has been shared. Similarly, anything you publish with Organization visibility does not appear in search engine results and can be viewed only by those who sign in with a school or work account from your school or organization.”

1 user thanked author for this post.

Elly

Reply | Quote

Possibly, but after registration the home page heading becomes, “Share your work with the world” alongside a Publish button.

I wasn’t able to find much sensitive information at all, so I think it’s generally understood (except by the wannabe hacker who started the twitterstorm).

Reply | Quote

b wrote:

… wannabe hacker…

Ah, that smacks of victim blaming.

The person who sees the erroneously shared data is ‘bad’ but the author/publisher and the facilitators (yup, that’s MS, it’s their site) are completely blame free?

1 user thanked author for this post.

Elly

Reply | Quote

He wasn’t a victim, but has overhyped the situation. I don’t think there’s much blame to be shared, as it seems to be working as designed and understood by most.

Reply | Quote

Ah, so you’ve read MS’ statement? Link?

Reply | Quote

A Microsoft spokesperson made the following statement to Ars Technica:

Docs.com lets customers showcase and share their documents with the world. As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information. Customers can review and update their settings by logging into their account at www.docs.com.

https://arstechnica.com/security/2017/03/doxed-by-microsofts-docs-com-users-unwittingly-shared-sensitive-docs-publicly/

Reply | Quote

Yep. And the big question is whether Microsoft should allow – encourage – people to post their personal documents for all the world to see.

There are good and bad sides to that, as you and others have noted.

Idly searching through Docs.com still brings up all sorts of embarrassing things. Court orders. Government documents. Password lists. Internal company documents. Should they be banned? Probably not. But the owners should be chastized…

1 user thanked author for this post.

Elly

Reply | Quote

b wrote:

How did this involve obscurity?

I was just imagining that people who blithely uploaded their documents might have been thinking, who cares if I upload this personal data; no one’s going to see it in my little subfolder except the person I sent the link to. Or maybe they didn’t think at all, and just assumed whatever Word wanted to do with their documents was good for them.

To err is human. To really mine your data requires a computer.

Rules of thumb like those I published above are there for non-thinkers.

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

The search box is back. Not clear what has changed.

1 user thanked author for this post.

Elly

Reply | Quote

It is hard to muster a lot of sympathy for those who blindly click away on the net with nary a thought as to what they are doing.  I see all too often those who take advantage of integrated software features or use websites without taking the time to understated what is happening when they do.

Many have never heard of crawlers that scour the net for info to be added to the results returned by their favorite search engine. Heaven forbid taking the timer to encrypt their files before putting them on a storage site. Hey if dropbox protects my stuff so does docs.com I guess. It’s too hard or they don’t have the time to figure out how a zip password works. Any feeble attempt to thwart a casual observer is better than doing nothing at all.

If you wish to use a service, any service, and you haven’t taken the time and made the effort to educate yourself about that service, you get what you deserve. I have never used docs.com but somewhere in the help files there must be a mention that documents uploaded are public by default. Anyone who ever bothered to look at their account profile on that site should have been able to see the option to limit access to their submissions by default.

These people didn’t care, and couldn’t be bothered, so neither do I. Most probably still do not realize that they are providing hours of laughs for those who wish to look for these embarrassing or personal tidbits. Same for those who can’t be bothered changing the default password on their web cams or their baby monitors. Those who don’t do the minimum to protect their privacy have no right to expect any privacy at all. Their whining about being hard done by is ludicrous. I have to run, need to get back to watching folks watching their Samsung TV’s…

 

Reply | Quote