On March 25, security researcher Kevin Beaumont discovered something very unfortunate on Docs.com, Microsoft’s free document-sharing site tied to the company’s Office 365 service: its homepage had a search bar.
That in itself would not have been a problem if Office 2016 and Office 365 users were aware that the documents they were posting were being shared publicly.
Unfortunately, hundreds of them weren’t.
As described in a Microsoft support document, “with Docs.com, you can create an online portfolio of your expertise, discover, download, or bookmark works from other authors, and build your brand with built-in SEO, analytics, and email and social sharing.”
But many users used Docs.com to either share documents within their organizations or to pass them to people outside their organizations—unaware that the data was being indexed by search engines.
Within a few hours, Beaumont, a number of other researchers, and Ars found a significant number of documents shared with sensitive information in them—some of them discoverable by just entering “passwords” or “SSN” or “account number.”
A small sample of the documents discovered included:
- A list of maintenance logins and passwords for a number of devices, including metal detectors and other security devices.
- A list of names, addresses, social security numbers, bank account numbers, e-mail addresses and phone numbers, apparently passed to a debt collector on behalf of a number of payday loan and finance companies.
- Medical data, including one physician’s treatment logs and photos, as well as credentials for logging into medical records systems.
- A new employee enrollment document with instructions on how to connect to a corporate intranet gateway for the first time (with default username and password information).
- Actual login and password information, saved as Word documents, from an administrator e-mail.
By about 6pm EDT on March 25, Microsoft had removed the search bar from the initial Docs.com homepage, but it still remains on other pages within Docs.com.
And many of the documents are still discoverable on the Google or Bing search engines, as they had been publicly indexed. That means that until the documents are unpublished from Docs.com, they will continue to be accessible to anyone who searches against the site.
Microsoft had previously published a notice on security fixes to Docs.com for Office 365 administrators, advising them on how to control access by users to the service.
“Because Docs.com does not yet meet all of Office 365 compliance framework requirements, Office 365 and Azure Tenant administrators must ‘opt-in’ to enable users with organizational accounts to use the service,” the Microsoft Support document states.
It’s not clear how recently that change was made; Ars Technica has reached out to Microsoft for further comment.
Update March 27: This morning, Microsoft disabled some searched on Docs.com, and is blocking some incoming links to searches from Google. But additional documents were discoverable via Google search, including documents with health benefits information filled in.
Update March 27: Microsoft has re-enabled search for some reason, and PII searches are still not blocked.
Update March 27: A Microsoft spokesperson made the following statement to Ars Technica:
Docs.com lets customers showcase and share their documents with the world. As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information. Customers can review and update their settings by logging into their account at www.docs.com.