If you use to store personal documents, stop reading this and make sure you aren’t inadvertently leaking your private information to the world.
Microsoft sets any documents uploaded to the document sharing site as public by default—though it appears that many users aren’t aware of it. That means anyone can search Docs.com for sensitive personal information that wasn’t manually set private. PCWorld found social security numbers, health insurance ID numbers, bank records, job applications, personal contact details, legal correspondence, and drivers license numbers with just a few minutes of searching.
The issue was recently uncovered by security researchers and first reported by on Sunday. For a short time, Microsoft removed the site wide search function from Docs.com, but the functionality was back as of Monday morning.
Using basic search techniques, we were able to spot numerous documents containing extremely personal details, finding more than enough information in many of the documents to expose users to identity theft and social engineering attacks. Due to the sensitivity of the information, we won’t publish or link to any of the files we’ve reviewed.
Brad Chacos/PCWorld What a user first sees when they upload a document to Docs.com.
What a user first sees when they upload a document to Docs.com.
As for the design issue, the “Visibility” setting that informs users their documents will be public requires users to scroll far down the left-hand navigation column during the upload process. There’s little reason to scroll down, however, since the Save button is immediately visible.
At this writing, and to Microsoft’s credit, a warning box does appear after clicking Save, letting users know that any information they upload will be public. But the warning box is in the same column as the Save button and many users likely click Save a second time without reading it.
prior to putting them online. That way if hackers gain access to your account they won’t be able to read your personal data.
This story, “Microsoft’s Docs.com is sharing dangerously sensitive personal files, information” was originally published by