Users of Microsoft Office 365 are without realising sharing sensitive documents because they don’t understand the way Office 365 sharing works.
Other information password and health information, were also found via docs.com (The search engine element of Microsoft’s online Office suite.
This issue was revealed by Kevin Beaumont, in series of tweets, through whic he highlighted is finds;-
.@InvertedLina there’s loads. People clearly don’t understand how the service works. It defaults to Publicly accessible, which is the prob. — Kevin Beaumont (@GossiTheDog) March 27, 2017
Google still index https://t.co/3TC07CB8gE. In fairness to Docs team it clearly says Publicly Viewable when publishing content. pic.twitter.com/7B63r0B9gH — Kevin Beaumont (@GossiTheDog) March 26, 2017
Microsoft has stated that it is ‘Working On A Solution’. It took down the search box fro the docs.com, but has been reinstated, without a fix for the issue.
The following statement from Microsoft said: “As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information.
“Customers can review and update their settings by logging into their account at www.docs.com.”
The problem occurs on how Office 365 sharing of documents is handled. The default setting for Office are to share a document with everyone, making it available for indexing. In order to keep the data private, you have to specify the group or individuals within it separately. This is also true of other sharing services like Dropbox and Google Drive, but they don’t seem to be leaking information in the same way.
According to the BBC, further investigations revealed the information was not only freely available, but still cached on both Google and Bing even after deletion.
Information including National Insurance numbers, social security details, banking details and passwords were amongst the nuggets found by the white-hat community which began exploring the exploits after Beaumont unearthed them.
Microsoft as usual is keeping a pretty low key approach to this current issue.
Leave A Comment