back to article FYI Docs.com users: You may have leaked passwords, personal info – thousands have

Thousands of netizens inadvertently shared passwords and other highly private information with the rest of the planet – via Microsoft's publicly searchable Docs.com service. Docs.com allows people to exchange documents between friends and colleagues, and the wider world, and can be searched for keywords. It sounds like a neat …

  1. Jeroen Braamhaar
    FAIL

    Wait, so ....

    "The problem was two-fold. First, people weren't always marking sensitive documents as private and non-public"

    So the default settings for your own documents are "visible to all and sundry" unless you go to the (likely well obfuscated) privacy settings to restrict who can find them ??!

    I'm not sure there's a facepalm in this universe big enough.

    1. Captain Scarlet Silver badge

      Re: Wait, so ....

      If hidden you just need a direct link, so I assume the link can simply be guessed.

      Why is anyone putting anything on there?

    2. Halfmad

      Re: Wait, so ....

      The entire point of the site is to share information and showcase it - I think that's potentially the problem, people have treated it like a dropbox alternative instead.

  2. 2460 Something

    Weakest link

    Which just goes to show, yet again, that the weakest link is always the fleshy meatbags behind the keyboard. No matter how locked down your security is, no matter what policies you have in place, people will find a way around (either through supposed necessity or accidental ignorance) or just be unaware of the implications of what they are sharing. There are no plausible solutions (other than cyborg upgrades), that doesn't mean we don't keep trying of course. Just have to accept the inevitable and re-educate at regular intervals.

    1. P. Lee

      Re: Weakest link

      Was the security locked down?

      I do have to ask why MS needed a special website to do file sharing That seems to be a basic function as far as I can tell. Don't they make some software which is supposed to do that function which they could make available to all businesses, which does this easily in a relatively secure manner? Perhaps not.

      MS - partying (and writing software) like its 1999.

      1. a_yank_lurker

        Re: Weakest link

        @P. Lee "MS - partying (and writing software) like its 1999." I think MS is actually writing code as if it is 1899 given the alpha level trash they have been foisting on users recently.

    2. Anonymous Coward
      Anonymous Coward

      Re: Weakest link

      'Which just goes to show, yet again, that the weakest link is always the fleshy meatbags behind the keyboard.'

      Yes, especially the meatbags that implemented this thing.

      Sure I agree in principle with everything else you say in your posting, so, seriously, if you are in any way 'security conscious' when implementing such a service as this, then the default setting for any document uploaded to these idiot magnets should be 'private unless marked otherwise', idiots, being idiots and all that...

      1. quxinot

        Re: Weakest link

        >'Which just goes to show, yet again, that the weakest link is always the fleshy meatbags behind the keyboard.'

        Yes, especially the meatbags that implemented this thing.<

        Thank you. I always agree entirely with the opening statement above, but the question is often which keyboard they're sitting behind.

    3. Mine's a Large One
      Facepalm

      Re: Weakest link

      "Which just goes to show, yet again, that the weakest link is always the fleshy meatbags behind the keyboard when they develop a service which gives a default setting of PUBLIC to uploaded documents."

      There, fixed it for you.

  3. Doctor Syntax Silver badge

    The cloud..

    ..the gift that keeps giving.

    1. Captain DaFt

      Re: The cloud..

      Your data away.

  4. inmypjs Silver badge

    Surprised?

    You have to be a technically illiterate moron to be using Office 365 and Microsoft cloud services so what the hell do you expect?

    1. ACcc

      Re: Surprised?

      Office365 != docs.com as far as I'm aware.

      That said, putting any of this stuff on the internet without being very sure of the security and double checking visibility is the act of foolishness.

      Not sure Microsoft have helped their users here though by having a myriad of similar product hanging off different platforms (onedrive on outlook/hotmail, SharePoint, office365; documents on onedrive, docs.com, office web apps, etc.).

      1. ACcc

        Re: Surprised?

        I'm wrong - you can share office365 files on docs.com. Genius.

        https://arstechnica.com/security/2017/03/doxed-by-microsofts-docs-com-users-unwittingly-shared-sensitive-docs-publicly/

    2. Anonymous Coward
      Anonymous Coward

      Re: Surprised?

      sadly o365 (they wish they had that uptime) gets mandated in lots of companies :-(

  5. J. R. Hartley

    What a pisser

  6. Anonymous Coward
    Anonymous Coward

    Don't you just HATE that BS?

    "As part of our commitment to protect customers, we're taking steps to help those who may have inadvertently published documents with sensitive information," a spokesperson told The Reg.

    If you were really in ANY way, shape or form "committed to protect customers" you would have made PRIVATE the default setting and PUBLIC the option - ever heard of the concept of fail-safe?

    Oh, wait, you're Microsoft. Forget I asked.

  7. frank ly

    If they'd done it 'properly'

    If Microsoft had set the default option to 'private' then they'd have been inundated with help-desk calls from people who were trying to make documents public and failing because they hadn't read the details or been able to find the options menu item. This is how most people are, in the 'ordinary world'.

    I remember, years ago, using Limewire and being amazed by how many people were sharing their entire C:drive because they hadn't found the menu item to control which folder(s) were to be shared.

    It seems to be difficult to make software that does everything that people want it to do, need it to do and to do that without an arcane menu system and/or an annoying set of questions before it allows you to start using it.

    1. Anonymous Coward
      Anonymous Coward

      Re: If they'd done it 'properly'

      If Microsoft had set the default option to 'private' then they'd have been inundated with help-desk calls from people who were trying to make documents public and failing because they hadn't read the details or been able to find the options menu item. This is how most people are, in the 'ordinary world'.

      So your contention is that risking everyone's privacy is cheaper in support costs than doing it right. In the days before "we will fling everyone into a forum so users work for us instead of us having to offer support ourselves" that one could have flown, but not now.

      Nowadays, that is be akin to disabling ABS by default because the clunky sounds of it engaging could scare the driver.

      That said, you still could be right because if there is something that Microsoft has not been very good at it, it's creating simple user interfaces. Maybe they couldn't take the chance..

  8. TrumpSlurp the Troll

    Private?

    I assume the commentards here are active users of docs.com and speak from experience?

    Because the alternative is that private is the default but it was just too much trouble to set up the closed group so everything was set to public by the user.

  9. Evil Auditor Silver badge

    My advice is: don't share sensitive information via cloudy stuff.

    It's difficult though to put blame on the users (I don't know docs.com). They will use whatever comes handy*. Not to say they are not responsible but systems targeted at world and dog should be engineered to a certain foolproof level**.

    * ...Or rather is available for, e.g. Office 365 handy it certainly isn't.

    ** If you make it foolproof they'll invent a better fool. But at least make it safer for the common fool.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like