Microsoft's Docs.com is sharing dangerously sensitive personal files and information
If you use Microsoft’s Docs.com to store personal documents, stop reading this and make sure you aren’t inadvertently leaking your private information to the world.
Microsoft sets any documents uploaded to the document sharing site as public by default—though it appears that many users aren’t aware of it. That means anyone can search Docs.com for sensitive personal information that wasn’t manually set private. PCWorld found social security numbers, health insurance ID numbers, bank records, job applications, personal contact details, legal correspondence, and drivers license numbers with just a few minutes of searching.
The issue was recently uncovered by security researchers and first reported by ZDNet on Sunday. For a short time, Microsoft removed the site wide search function from Docs.com, but the functionality was back as of Monday morning.
Using basic search techniques, we were able to spot numerous documents containing extremely personal details, finding more than enough information in many of the documents to expose users to identity theft and social engineering attacks. Due to the sensitivity of the information, we won’t publish or link to any of the files we’ve reviewed.
Sharing your work with the world
The reason there is so much public personal information on Docs.com can be chalked up to user confusion about what Docs.com really is, as well as a somewhat problematic design by Microsoft.
The tagline for Docs.com is “Share your work with the world.” It’s a way to put Office documents on the web without hosting them on your own website. As such, files are set to public by default, though you can adjust each document’s privacy settings. The majority of online document and productivity services—including Microsoft’s Office Online and Google Docs—default to keeping files private by default, requiring you to explicitly authorize documents you want to make public.
As for the design issue, the “Visibility” setting that informs users their documents will be public requires users to scroll far down the left-hand navigation column during the upload process. There’s little reason to scroll down, however, since the Save button is immediately visible.
At this writing, and to Microsoft’s credit, a warning box does appear after clicking Save, letting users know that any information they upload will be public. But the warning box is in the same column as the Save button and many users likely click Save a second time without reading it.
The impact on you at home: As we said earlier, if you are using Docs.com for any documents, it would behoove you to check what you have up there and remove anything with personal information.
In general, it’s a bad idea to save documents with personal information on any online service, be it Docs.com, or cloud storage services like Dropbox or OneDrive. If you must upload personal information, then learn to use strong encryption for your documents prior to putting them online. That way if hackers gain access to your account they won’t be able to read your personal data.