Microsoft Found Sharing Private Office 365 Documents

A security researcher has found a critical flaw with Microsoft’s Office 365 service that allowed users to access other users’ private documents. Kevin Beumont discovered that the search bar on the homepage of Docs.com, Microsoft’s Office 365 document sharing site, was showing files that were not intended for public sharing in its results.

Microsoft says that “with Docs.com, you can create an online portfolio of your expertise, discover, download, or bookmark works from other authors, and build your brand with built-in SEO, analytics, and email and social sharing.” However, it seems that documents that were meant to privately shared – such as within a company or organisation – were being indexed by the search function, making them potentially accessible by anyone.

Other researchers then started to test the Docs.com search function:

According to Ars Technica, the search function gave results of private documents that included:

• A list of maintenance logins and passwords for a number of devices, including metal detectors and other security devices.
• A list of names, addresses, social security numbers, bank account numbers, e-mail addresses and phone numbers, apparently passed to a debt collector on behalf of a number of payday loan and finance companies.
• Medical data, including one physician’s treatment logs and photos, as well as credentials for logging into medical records systems.
• A new employee enrollment document with instructions on how to connect to a corporate intranet gateway for the first time (with default username and password information).
• Actual login and password information, saved as Word documents, from an administrator e-mail.

Microsoft has now removed the search bar from Docs.com homepage, but is still visible on other pages of the website. Regardless, these documents have already been indexed by Google and Bing, making them publicly available, given the correct search criteria.