Microsoft Docs.com sharing site "accidentally" exposed files

Uploading files and documents to cloud services is so common these days that users don't give a second thought about the process. They presume a level of security and privacy that these services offer. Sometimes, however, those presumptions can be proven terribly wrong, as what users of Microsoft's document sharing service, Docs.com, found out the hard way. Apparently, it was possible to use Docs.com's own search feature to get access to users' presumed private files. And Microsoft's response? Temporarily disable the search function.

No, Microsoft wasn't hacked nor was this any accidental leakage. In a rather strange and convoluted sense, all the features are working as they were implemented. The problem is that the implementation is highly questionable and, to put it bluntly, inane.

Docs.com's default setting for uploaded files is apparently "Public". This is in stark contrast to almost all other cloud storage and sharing services, though, admittedly, it might be common among more dedicated file-sharing services. It's also in contrast to the default settings for documents created using Microsoft's online Office suite, which marks files as Private by default. Regardless, users worked on the presumption that the files they uploaded would be kept private unless they set it otherwise.

That Docs.com operated in the opposite way had far-reaching and frightening consequences. It made it possible for anyone to use Docs.com's search function to see anything and everything uploaded to the service, at least those that haven't been marked as private afterward. Those included documents that contained sensitive information like birth dates, phone numbers, e-mails, and yes, passwords.

Microsoft responded to the complaints by silently taking down the search functionality. It's now back up, however, but it isn't known yet what changes Microsoft has made. It will probably change its default setting to Private, which should have been the case from the start. How it will handle documents that have been uploaded before and have been marked public by default is something the company has yet to publicly address.

VIA: ZDNet