Users of Microsoft's docs.com may have been inadvertently sharing personal information, according to a researcher who found the document sharing site was allowing private docs to be searched.
Security researcher Kevin Beaumont discovered that Microsoft's free document-sharing site that is linked to the company's Office 365 service has a search bar which allows anyone to browse documents posted to the cloud service. Beaumont tweeted his findings on March 24 and the next day he was told the search functionality and all public-facing documents had been removed.
However, afterward Beaumont and other researchers were still able to find sensitive documents including social security numbers and passwords by searching for "passwords" or "SSN" or "account number."
The documents were also indexed Google, Yahoo, and Bing Search engines, and many of the documents are still searchable from Yahoo search engines as of 12.00 EST March 27, according to a recent tweet from Beaumont.
Prior to the incident Microsoft published a notice advising users on how to use Docs.com in their organization. “Because Docs.com does not yet meet all of Office 365 compliance framework requirements, Office 365 and Azure Tenant administrators must “opt-in” to enable users with organizational accounts to use the service,” the notice said."Docs.com lets customers showcase and share their documents with the world. As part of our commitment to protect customers, we're taking steps to help those who may have inadvertently published documents with sensitive information. Customers can review and update their settings by logging into their account at www.docs.com," a Microsoft spokesperson told SC Media.