Users leak sensitive data via Microsoft document-sharing site

“Think before you click!”

That’s advice we’ve often shared to computer users to help protect them against dodgy links and malware-infected email attachments, but those aren’t the only times when you should take a few seconds to consider what you’re about to do when your finger is hovering over your mouse button.

Take for instance, the ominous words “Do not show this message again”.

We’re all faced on a daily basis by warning messages and pop-ups that ask us if we’re *really* sure about what we’re about to do, and it can be all too easy to tell such pesky interruptions to our workflow to vamoose.

But this weekend we were once again reminded of the risk of clicking on the “Do not show this message again” option.

UK-based security architect Kevin Beaumont first raised the alarm on Twitter, after noticing that personal and sensitive information (including passwords, social security numbers, dates of birth, credit card statements, medical details and more) were being shared publicly on Microsoft’s document-sharing website, docs.com.

As tech blogger and podcaster Rob Griffiths describes the problem is that when you upload a file to docs.com, it makes it publicly accessible by default:

Public on the web

Anyone can find it on the web. Search engines will find the doc, giving it a larger audience.

In some situations that might be fine. But as a default? Hmm.. I’m not so sure. I would prefer that privacy was the default and people would have to knowingly opt to make something public to the universe.

Anyway, Microsoft clearly realised this might be a problem as its docs.com site displays a warning when you attempt to publish the document.

You are making your document publicly available on the web so search engines can find it. Make sure it doesn’t contain private information that you don’t want to share.

[ ] Do not show this message again.

And there lies the risk.

The warning isn’t really a *loud* warning message. It’s subdued nature is not proportionate to the seriousness of publishing sensitive information to the world.

But then things get even worse because it’s so easy to tell this dialog to go away and never show its face again.

Griffiths sums up the issue well:

“I really don’t think Microsoft should default to public share for any uploaded file; that’s just not a safe strategy. (The other setting is Limited, which means a user must have a link to your document to view it. This would protect users from accidentally sharing files that were intended to be privately shared, not publicly visible.)”

“And if, for whatever reason, Microsoft doesn’t want to default to Limited, then that warning dialog should pop up every single time, with no way to bypass it. If you’ve used docs.com, you may want to double-check that what you thought was private is actually private.”

Twitter users began to share images of sensitive information that docs.com users had unwisely shared publicly, and for a while Microsoft withdrew the site’s search functionality while it tried to plug its users inadvertent data leaks.

But, of course, that wasn’t really a solution. Hiding sensitive information from docs.com’s search engine doesn’t remove it from the search results of internet search engines.

Ultimately you are the guardian of your personal and sensitive information. If you feel you must use a cloud-based service to store your confidential data, then please be careful to think before you click – especially when it comes to warnings that conclude with the dangerous words “Do not show this message again”.

Leave a Reply