
Office365 users shared hundreds of sensitive docs publicly through docs.com - umeshunni
https://arstechnica.com/security/2017/03/doxed-by-microsofts-docs-com-users-unwittingly-shared-sensitive-docs-publicly/
======
cwyers
I don't get it. It's a site designed for public sharing -- the word "showcase"
is right on the front page, as username223 points out. I just loaded it up and
walked through uploading a file to it. It's incredibly explicit about what
it's doing. Under "Visibility," it says:

"Public on the web Anyone can find it on the web. Search engines will find the
doc, giving it a larger audience."

It's not unambiguous. It's very clear. The only way you can't tell what it's
doing is if you just pay no attention whatsoever to what you're doing. It's
not the default sharing method from either Office 365 (web, traditional or
Android/iOS) or OneDrive. You have to opt into using it at all at an IT
department level if you have a corporate Office 365 department. You really
just can't stop users from footgunning themselves when they're on the open
Internet.

~~~
Spooky23
When we deployed O365 to 100k+ people, we ran into a few things like this.

A big one was the meaning of "everyone" in OneDrive. Many people thought that
it meant "everyone on my team", and posted all sorts of wacky stuff.

~~~
bigger_cheese
My work switched pretty recently (December last year) that is one thing I've
noticed that has really annoyed me is that all the Office apps have One Drive
set as the default location to save anything. I've never used One Drive, I
don't want to use One Drive but every time I hit save in word or excel it
defaults to "One Drive" I have to physically click "This PC" button and browse
to my local disk to save a copy locally every single time.

No one in my building uses one drive, no one asked for one drive but Microsoft
keeps trying to shove it down our throats. It feels like an anti-pattern like
the forced windows 10 "upgrade" for home users.

According to word I have Office 365 ProPlus version - I note there is no
option to save to docs.com.

~~~
nu5500
I am curious what your resistance is to OneDrive. Personally, I try to put as
much in there as I can as I frequently switch machines that I am working on. I
keep my work code in there as well (Git repo and all) and it's convenient when
switching between VMs or when needing to wipe my workstation and start fresh.

I encounter many co-workers though who like to do things "the old way" and
just email copies of documents around and then spend time merging them back
together instead of sending a link to their OneDrive. Just more files for me
to juggle on my computer. No thanks.

~~~
bigger_cheese
There are a few reasons, partly because of corporate policy which says no
sensitive documents on cloud.

Partly because I need to access stuff offline so prefer to have a local copy.
For example if I have to take my laptop travelling with between sites I may
not have access to a internet connection.

Your right that a large part is familiarity - we use Sharepoint (which I also
hate) to share documents between teams rather than email.

------
phs318u
Microsoft clearly made this to be a Scribd alternative. O365 defaults to
private sharing everywhere. To quote from the article, "Office 365 and Azure
Tenant administrators must 'opt-in' to enable users with organizational
accounts to use the service".

On [https://docs.com/docscom](https://docs.com/docscom) the description of the
service is "Docs.com by Microsoft is an Internet site for publishing Office
documents that anyone can find, browse, and share". The only way this could be
clearer is if the word 'anyone' was changed to 'anyone in the world'.

Finally, (for some license types) O365 offers precisely the kind of DLP
capabilities that would let users use such a service while blocking the
sharing of SSN's etc.

For business accounts, not only has someone actively turned on this
capability, they have then failed to communicate its purpose to users. The
users themselves have then failed to understand what they were doing.

I'm sorry, but while I can sympathise with people this is clearly not MS'
problem.

For the record, my current employer (a university) has not enabled this
function.

------
username223
It _does_ say right on the front page: "Showcase and discover Microsoft Word,
Excel, PowerPoint, OneNote, Sway, Minecraft world and PDF documents for free,"
so it's pretty clearly intended for public distribution of e.g. document
templates. On the other hand, how on earth did MS release it and let it live
without noticing that people were using it completely wrong? They should have
quickly noticed that people were using it to exchange sensitive documents,
then pulled the service and redesigned it so that sort of behavior became
exceedingly rare.

Even sophisticated users will misuse these services: remember the fad of
putting all your dot-files on Github, when a bunch of people uploaded their
Amazon credentials? This is giving the same opportunity to much less
sophisticated users, with predictable results.

~~~
nilanjonB
basically they thought no one would bother... and then thought fudge we;re
screwed

------
alphabettsy
I understand people may want to upload documents for sharing by link for
example, but its obviously not clear enough to users that their documents can
be searched by anyone and MS is even providing a document search with OCR it
seems.

I doubt these people intended to share, in a publicly searchable form, copies
of their tax forms, passports, medical records, client lists, etc.

It's easy to call the users careless or stupid, but that expectation should've
been baked into the product. For a document to be indexed and publicly
searchable should be an explicit setting, not a default.

~~~
johansch
The messed up thing here, if I understand the article correctly, is that
documents shared via a private URL containing a private key were all
searchable via the search box on docs.com.

That's beyond being a UX issue, it's just.. wrong. So wrong that I could see
lawsuits from this issue.

It's also a class of bug that I really couldn't imagine happening outside of
Microsoft in terms of consumer software services from large-scale companies.

Here's a free idea for Google: Create a safety index service for saas stuff
and then apply it to Chrome. I'd use it.

~~~
nebabyte
I guess technically it could be an API or a permissions issue. But yeah, not
UX

~~~
alphabettsy
Maybe a UX issue because it allows people to, easily without proper warning,
create a link for sharing like Dropbox, but unlike Dropbox it not only makes
everything indexable, they even do it themselves and provide a search engine
for the docs.

------
laurencei
I dont understand why docs.com even has a search bar in the first place?

Apart from a "direct link" \- who would want to go to docs.com and search for
a topic?

I've been able to find lots of interesting documents searching for some
medical, business and financial terms. There must be thousands if not tens of
thousands of sensitive documents available...

~~~
dragonwriter
> I dont understand why docs.com even has a search bar in the first place?

Because it was designed for public sharing of documents and templates, and
public sharing without discoverability sucks.

~~~
nebabyte
Then putting it under a brand that for so long has been associated with (and
pushed on, and designed for) internal enterprise documents or other
sensitive/personal docs might not've been the best move?

I don't know that there's a "social docs" brand, to figure out what it would
call itself; but if MS exerted the minimal effort to understand its audience
(which is required of any tech company that sells to domain experts who are
more occupied with their work than what the workspace is configured to do), it
wouldn't take them long to figure out how to pitch things to those users to
accomplish whatever it is they're trying to do.

~~~
contextfree
My guess is docs.com will be merged into LinkedIn at some point; that would
largely solve the problem since people already have a mental model of LI's
purpose and sharing semantics, etc. (or at least the cost of acquiring one is
amortized over other services/features that are part of LI)

------
Stranger43
In many ways the real story here is that the cloud makes certain kind of
shortcuts thats incredibly common in aggressive organizations where "does" are
promoted over "critics" exponentially more likely to lead to serious negative
consequences.

In the past an insecure shortcut was a unsecured and unaudited consumer grade
network-share sitting somewhere on a lan, today it and Internet facing cloud
service designed for publication used to collaborate on "internal only"
document that should not even have been viable to the entire company.

It's not that the cloud is "insecure" but that it makes it way to easy for
those who should not make IT decisions to turn to shadow IT solutions in order
to avoid having to adhere to cumbersome bureaucratic processes and corporate
governance frameworks and "get stuff done".

------
frik
Facebook sneaked in Docs.com to all Facebook users due to a deal with
Microsoft (they bought 2% of the shares around the same time). So back then,
one had to search through the mess of Facebook settings only to deactivate
Docs.com. Otherwise users uploaded Office documents got shared with Docs.com
for friends and the internet. Facebook had some simple note taking and user
pages feature that allows uploading Office docs back then. I wouldn't be
surprised if these old files still somewhere online even after the repurposed
and their service.

[https://en.wikipedia.org/wiki/Docs.com](https://en.wikipedia.org/wiki/Docs.com)

------
excalibur
> No results found for 1040 donald trump site:docs.com.

Dammit.

~~~
at-fates-hands
Maybe not, but just searching "ssn" gives any identity thief a goldmine of
information.

------
andrewfong
Apart from whether "publicly searchable" should be an explicit / implicit
setting, this seems like something that could also largely be mitigated with
some simple keyword flags. Words like "SSN" or "confidential" or the like are
probably good indicators that this doc shouldn't have been shared and
something that requires an extra approval dialog. That keyword list could also
be something you'd expand over time and could use to retroactively remind
users that they might have inadvertently shared something they shouldn't have.

~~~
nebabyte
If your UX involves introspecting content to determine whether it is being
misfiled, you're already doing something wrong. Such gimmicks work as
'syntactic sugar' (think google's "did you forget an attachment" message) but
they shouldn't be the first the user sees of the feature (in goog's case,
having an always-visible attachment icon.)

If they absolutely want to go the idiotic route of public-by-default, a
'private'/'public switch might be too noisy; a 'create new document'/'create
new private document' too redundant... Honestly, I don't see why they would
want to go that route anyways. The model is practically handed to them on a
silver platter; most users want to keep docs private, unless and until they
wish to have a document pool for sharing (easy to build infrastructure for),
explicitly share single docs (again, just add a 'share' button and people get
it), or make it publically accessible (i.e. "post" or "publish" to a
platform.)

As I said in another comment here - everything gets explained away once you
assume MS' incompetence in things. (I mean for god's sake, there are so many
other solutions in this space that they have all the hard thinking be done for
them!)

~~~
contextfree
I think you're missing the context. Office Online/OneDrive/etc. already
implement more or less the default behavior you recommend. docs.com is a
separate service intended specifically for public sharing, i.e., it's a
platform to which you post or publish.

I would guess this is less of a technical or UI design problem and more of a
branding/product concept/positioning problem, i.e., (some) people don't seem
to understand the overall concept of the product, possibly because of the name

------
Nition
I think it's hard to say how well this was communicated to the public without
knowing the total amount of users of the service. Maybe 99.99% of people did
NOT upload public documents by mistake. Maybe only 95%. Depends on how many
documents are safely private.

------
bognition
Searching for "1099" brings up quite a few interesting documents

------
libeclipse
#OfficeBleed anyone?

------
ChuckMcM
Ouch. That seems pretty egregious. I would hope that Microsoft would at least
make 'public' sharing the thing you would have to select and authorize rather
than making it the default. But apparently that wasn't the choice here.

~~~
nebabyte
"It's not like we can just flip a switch"

------
twiss
Shameless plug: I'm working on a private (encrypted) alternative to Google
Docs & Office 365: [https://www.airbornos.com](https://www.airbornos.com).

------
johansch
So Microsoft is still mediocre security-wise, despite all of those people
claiming the company has been reinvented?

I can belive the reinvented claim (that's the kind of thing a new, good CEO
can influence), but quality goes very deep, into each employee. Any one hire
can screw up fatally. It takes a lot of hard work to build a security
conscious culture/company hierarchy.

(Edit: Hello Redmond people!)

~~~
nebabyte
Not just the people, but the structure. You can't just change the head and
assume the body will change itself. If aspects of design and execution stay
the same, you're not magically going to build better QA or better-thought-
through systems/architecture because "new face".

It's far safer to operate on the assumption that MS is just through-and-
through incompetent at this point than try and pinpoint the cause of any one
problem in a long history of them. I gave up on them around the mid-IE days
(think I might've been particularly miffed when they scrapped the Courier
concept) but I haven't looked back and haven't regretted it since.

~~~
johansch
Exactly. Maybe in 20 years they'll be competent when 95% of the current code
has been retired but until then: Sayonara.

(Well, I doubt it, but there's at least a theoretical chance, right?)

~~~
nebabyte
I dunno, I'm inclined to agree with your first impulse - after all, the
assumption of "well it's been a while, surely they've gotten their shit
together by now?" would be the reason one would think they'd be on the ball
_today_ :P

If the code's retired, it could just as easily be because some inferior
process led by devs without the proper guiding vision just swapped it out for
some overengineered platform they 'know how to code in better' that's being
hailed as the future of such-and-such that doesn't reimplement nearly as
completely or robustly features that people had come to expect, and is less
stable to boot. ("Secure time" [0] anyone?) But hey, just spitballing here.

MS is like the Hammer Industries of our world; never rely on Hammertech.
Though I guess as long as they keep enough enterprise dinosaur contracts
they'll keep limping on like Hammer too. _shrug_

[0] [https://redd.it/61o8p0](https://redd.it/61o8p0)

