Microsoft have a website called https://t.co/3TC07CB8gE where Office 365 customers can share anything in public. It has a search function.
— Kevin Beaumont (@GossiTheDog) March 25, 2017
That seemed insanely scary, so I did a quick search on docs.com for password 1I am not revealing anything secret here; the original tweet went to thousands of people, and many have already noted the number of shared password files.. The results were quite shocking—hundreds of files containing full login information to major sites—Apple, AT&T, Facebook, Gmail, Linkedin, Netflix, PayPal, Twitter, etc.
It seems crazy to think that these users are intentionally sharing this information with the world. I wanted to see how it was happening, so I logged into docs.com with my Office365 account to see. I created a simple file to upload as a test. After uploading, you have to set a bunch of options before you save the file; one of the settings is the Visibility, and this is the default setting:
Yes, docs.com defaults any uploaded file to world-visible, “giving it a larger audience.” Yikes!
Now, in Microsoft’s defense, when you click the Save button to complete the upload process, this warning box appears:
I have two problems with this box, however. First, it’s not “warny” enough about the public nature of the content—how about Make sure it doesn’t contain private information that you don’t want to share to make that sentence stand out?
The second issue—and probably the main cause of so many shared private-info documents—is that very visible “Do not show this message again” checkbox. Check that, and the next time you upload a file, you won’t see any warning, even though the file will be publicly visible by default.
I really don’t think Microsoft should default to public share for any uploaded file; that’s just not a safe strategy. (The other setting is Limited, which means a user must have a link to your document to view it. This would protect users from accidentally sharing files that were intended to be privately shared, not publicly visible.)
And if, for whatever reason, Microsoft doesn’t want to default to Limited, then that warning dialog should pop up every single time, with no way to bypass it. If you’ve used docs.com, you may want to double-check that what you thought was private is actually private.
April 1 2017 update:
Microsoft is apparently emailing all docs.com users with this explanatory note…
But that’s it—just an explanatory email. Nothing has changed about uploading (defaults to public) or the warning checkbox (still no calling out the “private information” bit, can still be hidden forever). So I’m not sure this really changes anything.