News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Docs.com Search Removed After Trawling Revealed

    Home Forums Code Red – Security/Privacy advisories Docs.com Search Removed After Trawling Revealed

    Viewing 4 reply threads
    • Author
      Posts
      • #104624
        Kirsty
        Manager

        Microsoft yanks Docs.com search after complaints of exposed sensitive files

        http://www.zdnet.com/article/microsoft-yanks-docs-com-search-after-complaints-of-exposed-sensitive-files

        Microsoft’s document sharing site, docs.com, had a site search box that was allowing access to publicly-accessible files stored on the site, which were clearly meant to remain private. Microsoft itself has not suffered a security breach, but it’s users have inadvertantly been subjected to one.

        Even though the search feature was removed over the weekend, the results are apparently still appearing in search engines, according to the zdnet.com article linked above.

        3 users thanked author for this post.
      • #104659
        Noel Carboni
        AskWoody_MVP

        It’s kind of along the lines of what common sense thinkers have always known:

        Send your data to the cloud (aka to someone else’s server) only if you want it seen by… Someone else.

        Lessons?
        Obscurity is not security. Trust should not be given lightly. When you assume you make an… 😉

        -Noel

        • #104678
          b
          AskWoody MVP

          How did this involve obscurity? (Docs.com says “Showcase …” as its first word.)

          The article has a footnote that indicates the search feature was restored today.

          Windows 10 Pro version 21H1 build 19043.985 + Microsoft 365 (group ASAP)

          • #104688
            satrow
            AskWoody MVP

            “Update on March 27: the search feature has been added back, and is still exposing personal information. Microsoft hasn’t explained why it reintroduced the feature again.”

            2 users thanked author for this post.
            • #104690
              b
              AskWoody MVP

              Thanks for quoting, without comment, what I had already read and referred to. Very useful.

              Windows 10 Pro version 21H1 build 19043.985 + Microsoft 365 (group ASAP)

              • #104691
                satrow
                AskWoody MVP

                Useful for others, your comment might have misled people into thinking search was now fixed and no longer revealing private file contents, which is clearly not the case if the report is accurate.

              • #104694
                b
                AskWoody MVP

                I don’t think search was ever broken. It’s a public publishing/sharing site by default:

                Why should I share my content on Docs.com?
                It’s the best way to get your work noticed and gain a broader audience.

                Frequently Asked Questions about Docs.com

                Windows 10 Pro version 21H1 build 19043.985 + Microsoft 365 (group ASAP)

              • #104739
                satrow
                AskWoody MVP

                Perhaps the following wasn’t made clear enough, or advertising was aimed at those who aren’t very Cloud savvy?

                A lot of PC users are still pretty clueless when it comes to privacy and security, Cloud sites would be better if they were private only to begin with, users would then need to find out about the various degrees of visibility/sharing.

                Heck, most MS Office users probably have no clue about the hidden data in their documents either.

                “Who can see my documents?

                For anything that you publish on Docs.com, you can set the visibility of your documents or collections to either Public or Limited.

                Anything you publish with Public visibility will appear in worldwide search engine results and can be shared by you and others on social media sites. This option is a great way to get your work noticed. On the other hand, anything you publish with Limited visibility does not appear in search engine results and can be viewed only by people with whom a direct link to your content has been shared. Similarly, anything you publish with Organization visibility does not appear in search engine results and can be viewed only by those who sign in with a school or work account from your school or organization.”

                1 user thanked author for this post.
              • #104756
                b
                AskWoody MVP

                Possibly, but after registration the home page heading becomes, “Share your work with the world” alongside a Publish button.

                I wasn’t able to find much sensitive information at all, so I think it’s generally understood (except by the wannabe hacker who started the twitterstorm).

                Windows 10 Pro version 21H1 build 19043.985 + Microsoft 365 (group ASAP)

              • #104758
                satrow
                AskWoody MVP

                … wannabe hacker…

                Ah, that smacks of victim blaming.

                The person who sees the erroneously shared data is ‘bad’ but the author/publisher and the facilitators (yup, that’s MS, it’s their site) are completely blame free?

                1 user thanked author for this post.
              • #104762
                b
                AskWoody MVP

                He wasn’t a victim, but has overhyped the situation. I don’t think there’s much blame to be shared, as it seems to be working as designed and understood by most.

                Windows 10 Pro version 21H1 build 19043.985 + Microsoft 365 (group ASAP)

              • #104764
                satrow
                AskWoody MVP

                Ah, so you’ve read MS’ statement? Link?

              • #104875
                b
                AskWoody MVP

                A Microsoft spokesperson made the following statement to Ars Technica:

                Docs.com lets customers showcase and share their documents with the world. As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information. Customers can review and update their settings by logging into their account at www.docs.com.

                https://arstechnica.com/security/2017/03/doxed-by-microsofts-docs-com-users-unwittingly-shared-sensitive-docs-publicly/

                Windows 10 Pro version 21H1 build 19043.985 + Microsoft 365 (group ASAP)

              • #104882
                woody
                Manager

                Yep. And the big question is whether Microsoft should allow – encourage – people to post their personal documents for all the world to see.

                There are good and bad sides to that, as you and others have noted.

                Idly searching through Docs.com still brings up all sorts of embarrassing things. Court orders. Government documents. Password lists. Internal company documents. Should they be banned? Probably not. But the owners should be chastized…

                1 user thanked author for this post.
      • #104711
        Noel Carboni
        AskWoody_MVP

        How did this involve obscurity?

        I was just imagining that people who blithely uploaded their documents might have been thinking, who cares if I upload this personal data; no one’s going to see it in my little subfolder except the person I sent the link to. Or maybe they didn’t think at all, and just assumed whatever Word wanted to do with their documents was good for them.

        To err is human. To really mine your data requires a computer.

        Rules of thumb like those I published above are there for non-thinkers.

        -Noel

        1 user thanked author for this post.
      • #104883
        woody
        Manager

        The search box is back. Not clear what has changed.

        1 user thanked author for this post.
      • #120047
        dph853
        AskWoody Plus

        It is hard to muster a lot of sympathy for those who blindly click away on the net with nary a thought as to what they are doing.  I see all too often those who take advantage of integrated software features or use websites without taking the time to understated what is happening when they do.

        Many have never heard of crawlers that scour the net for info to be added to the results returned by their favorite search engine. Heaven forbid taking the timer to encrypt their files before putting them on a storage site. Hey if dropbox protects my stuff so does docs.com I guess. It’s too hard or they don’t have the time to figure out how a zip password works. Any feeble attempt to thwart a casual observer is better than doing nothing at all.

        If you wish to use a service, any service, and you haven’t taken the time and made the effort to educate yourself about that service, you get what you deserve. I have never used docs.com but somewhere in the help files there must be a mention that documents uploaded are public by default. Anyone who ever bothered to look at their account profile on that site should have been able to see the option to limit access to their submissions by default.

        These people didn’t care, and couldn’t be bothered, so neither do I. Most probably still do not realize that they are providing hours of laughs for those who wish to look for these embarrassing or personal tidbits. Same for those who can’t be bothered changing the default password on their web cams or their baby monitors. Those who don’t do the minimum to protect their privacy have no right to expect any privacy at all. Their whining about being hard done by is ludicrous. I have to run, need to get back to watching folks watching their Samsung TV’s…

         

    Viewing 4 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Docs.com Search Removed After Trawling Revealed

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.