Because searching another user’s documents is a great idea!
Last week a friend sent me the Docs.com link, said it was a gold mine. Yes it is 😊 The Docs.com breach was announced on Radio 1 Netherlands on 27 March 2017 as limited to some CV’s or resumes. No, no, no my friend. It is wide open. Microsoft sounded as if they had already fixed part of the problem. It’s days later and I can say nope.
Using the search function for “SSN” which is an acronym of the USA tax payer identification Social Security Number.
Get filled out loan, school, medical, tax, and other related documents. Below is a sanitized example of a person’s filled out loan deferment request form.
I currently live in the Netherlands, land of the free, home of the Orange. To discover documents in Dutch. We changed the search terms and the language. A search for “kanker” which is cancer in Dutch yielded financial tax documents.
Using the search term “schulden” which is debts in Dutch, on 3 April 2017 documents with personally identifiable information is still viewable.
Business yearly financial workbooks viewable and can edit fields on 3 April 2017. A quick snap of my virtual machine system clock
There are debt collector’s documents listing court fees. Hospital documents. When I was informed of the leak last week. I went looking for a Microsoft Bug Bounty for privacy based vulnerabilities or breaches. There aren’t any. There are bounties for most of their products on the application level. Explains a lot about Windows 10. In the Netherlands, the Dutch Data Protection Agency fines companies for these types of violations.
A search for “NHS Cards” yields NHS numbers, scanned cards, NHS email accounts:
Since internet search engines index when they can. You don’t even need to search in Docs.com to find content in Docs.com. Use Google, Bing, DuckDuckGo, etc.
Please Microsoft, flash a big warning to users of the system “Before you save documents to Docs.com. Please remove any personally identifiable information and do not post the PII of others. Anything you post here can be seen by the world!” Also, seriously consider a privacy based bug bounty program. The EU GDPR comes into full effect soon and the fines are promising pain.