Industry News

Users leak sensitive data via Microsoft document-sharing site

“Think before you click!”

That’s advice we’ve often shared to computer users to help protect them against dodgy links and malware-infected email attachments, but those aren’t the only times when you should take a few seconds to consider what you’re about to do when your finger is hovering over your mouse button.

Take for instance, the ominous words “Do not show this message again”.

We’re all faced on a daily basis by warning messages and pop-ups that ask us if we’re *really* sure about what we’re about to do, and it can be all too easy to tell such pesky interruptions to our workflow to vamoose.

But this weekend we were once again reminded of the risk of clicking on the “Do not show this message again” option.

UK-based security architect Kevin Beaumont first raised the alarm on Twitter, after noticing that personal and sensitive information (including passwords, social security numbers, dates of birth, credit card statements, medical details and more) were being shared publicly on Microsoft’s document-sharing website, docs.com.

As tech blogger and podcaster Rob Griffiths describes the problem is that when you upload a file to docs.com, it makes it publicly accessible by default:

Public on the web

Anyone can find it on the web. Search engines will find the doc, giving it a larger audience.

In some situations that might be fine. But as a default? Hmm.. I’m not so sure. I would prefer that privacy was the default and people would have to knowingly opt to make something public to the universe.

Anyway, Microsoft clearly realised this might be a problem as its docs.com site displays a warning when you attempt to publish the document.

You are making your document publicly available on the web so search engines can find it. Make sure it doesn’t contain private information that you don’t want to share.

[ ] Do not show this message again.

And there lies the risk.

The warning isn’t really a *loud* warning message. It’s subdued nature is not proportionate to the seriousness of publishing sensitive information to the world.

But then things get even worse because it’s so easy to tell this dialog to go away and never show its face again.

Griffiths sums up the issue well:

“I really don’t think Microsoft should default to public share for any uploaded file; that’s just not a safe strategy. (The other setting is Limited, which means a user must have a link to your document to view it. This would protect users from accidentally sharing files that were intended to be privately shared, not publicly visible.)”

“And if, for whatever reason, Microsoft doesn’t want to default to Limited, then that warning dialog should pop up every single time, with no way to bypass it. If you’ve used docs.com, you may want to double-check that what you thought was private is actually private.”

Twitter users began to share images of sensitive information that docs.com users had unwisely shared publicly, and for a while Microsoft withdrew the site’s search functionality while it tried to plug its users inadvertent data leaks.

But, of course, that wasn’t really a solution. Hiding sensitive information from docs.com’s search engine doesn’t remove it from the search results of internet search engines.

Ultimately you are the guardian of your personal and sensitive information. If you feel you must use a cloud-based service to store your confidential data, then please be careful to think before you click – especially when it comes to warnings that conclude with the dangerous words “Do not show this message again”.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *

  • That looks like a pretty loud warning message to me. I mean, it's not "Punch the Monkey" or anything at that level, but it grays the prior form and draws focus to itself. If people choose not to read and at least on a minimal level understand what they're using, then they're absolutely responsible for the consequences of their decision to use it.

  • I do not use Microsoft document sharing and have not seen their warning previously. However, it is much like many I have seen in other contexts, and it is reasonably clear, at least to anyone who bothers to read it, what is going on and what is necessary to save the document so it cannot be seen by others. The only obvious ambiguity is whether unchecking will be remembered and applied to later document saves.

    It appears nobody, any more, can be assumed to think, or to exercise agency on their own behalf, but need to have corporations do it for them and government action to oversee the corporations and compel their obedience when someone thinks they have fallen down on the job. Pretty much the same subset of the population then works itself into a frenzy over reports, largely of things well known to those with a bit of interest and initiative, of government mass surveillance.

    We cannot have it both ways.

  • I see that docs.com is offered by Microsoft as "an Internet site for publishing Office documents that anyone can find, browse and share." Therefore users should rather be warned that this is exactly what they will get when using this platform. I don't think Microsoft is at fault in this instance.