On March 25, security researcher Kevin Beaumont discovered something very unfortunate on Docs.com, Microsoft’s free document-sharing site tied to the company’s Office 365 service: its homepage had a search bar. That in itself would not have been a problem if Office 2016 and Office 365 users were aware that the documents they were posting were being shared publicly.
Unfortunately, hundreds of them weren’t. As described in a Microsoft support document, “with Docs.com, you can create an online portfolio of your expertise, discover, download, or bookmark works from other authors, and build your brand with built-in SEO, analytics, and email and social sharing.” But many users used Docs.com to either share documents within their organizations or to pass them to people outside their organizations—unaware that the data was being indexed by search engines.
You can probably see where I’m going with this and https://t.co/3TC07CB8gE. pic.twitter.com/zCJAcNNx3a
— Kevin Beaumont (@GossiTheDog) March 25, 2017
Within a few hours, Beaumont, a number of other researchers, and Ars found a significant number of documents shared with sensitive information in them—some of them discoverable by just entering “passwords” or “SSN” or “account number.”