It seems that the error allows anybody to search through millions of files that have been made public. However, these documents were supposed to be private. Users took to Twitter over the weekend to complain about the issue. Because of this flaw, anybody can use the search box to access some sensitive files stored on Docs.com. Among the ‘private’ files that have been made public are password lists, legal agreements, divorce settlements, credit card statements, email addresses, and physical addresses. Of course, some of these documents contain privacy sensitive material such as social security numbers. Security expert TinkerSec started tweeting about the issue. The Twitter status for the leaked documents has since been closed. Naturally, we are not going to post any links to the exposed Docs.com searches.
Microsoft Fix
Microsoft has not spoken officially about the cause of the problem, but the company did moved quickly to solve it and sweep it under the rug. It appears that this is not an outside cyberattack on Docs.com. Instead it looks to be an internal software problem. The company has not fixed the specific issue yet, but has removed the search function. This means users can no longer search on the site for the sensitive material. However, some people are already pointing out that the files are still cached on Google and Bing. There is a possibility that this is not Microsoft’s fault, or at least not directly. Users upload documents themselves. Under default, Docs.com makes uploaded documents public. Perhaps many users did not know this and assumed their content would be instantly private. It will be interesting to see Microsoft’s official take on this matter and where the company places the blame. As you can see in the screenshot (from this morning) above, Microsoft has since put the search function back. This suggests it was a problem with the service and the company has made some fixes. Just another note. Even if this is a problem caused by users, some of the blame must lie with Microsoft. In an age where privacy is hugely important and attacks happen frequently, privacy as a default should be the norm.




