Bad Default Settings Cause Microsoft Office 365 Vulnerability
Microsoft Office 365 vulnerability exposed thousands of sensitive files via search.
Over the weekend, security researcher Kevin Beaumont publicized a major Microsoft Office 365 vulnerability exploitable via docs.com – a Microsoft website used for sharing files from Office 365.
The website allowed public sharing of documents – and it had an in-text search function right on the homepage.
This meant you could search terms like:
- confidential
- SSN
- password
- and more!
And easily get pages of documents containing private information that users inadvertently shared online. Oops!
Thousands of documents from both individuals and businesses were (and continue to be) one search away. A hotel had shared a list of their frequent guests with account numbers and data about their most recent stay. Individuals had shared applications for colleges and loans, bank statements, and medical documents. Spreadsheets from membership organizations contained hundreds of rows listing full names, addresses, and even bank account numbers.
There was more than enough information here to steal someone’s identity or gain access to their accounts. This Microsoft Office 365 vulnerability has been exploited for months, but was not well known until now.
It’s clear that many of these documents were intended to be shared via link in an email or IM – and the users were unaware that their document had also been made available to anyone in the world searching on Docs.com.
The feature was designed to make it easy to share documents within an organization or with outside parties – similar to sharing features available with Google Docs or Dropbox. But clearly, Microsoft designed theirs poorly.
If you chose to share a document, the default settings were to do so publicly. While Office 365 tried to make this clear through a dialog box, this is yet again a demonstration of the importance of secure defaults.
Users will click through warnings to accomplish what they want – which is why such a risky feature needs to be explicitly chosen by the user, instead of chosen for them and then lazily justified by throwing more “Click to continue” and “Warning” notices at them.
Given Microsoft’s experience with data security – it operates a huge enterprise sector after all – it’s shocking that it put such little consideration into such a tool.
At first, Microsoft removed the search functionality – but that was hardly a fix for the problem. Documents could still be viewed by anyone if you had the direct link, and because they were public, they had been indexed and archived by search engines.
Inexplicably, and without a statement from Microsoft, the search function has now returned. While it appears that many of the sensitive files are now gone (or at least harder to find), you can still find passwords, government ID numbers, and various other private information within a few minutes.
Now, some journalists and researchers are trying to reach out to affected individuals, who need to know that they are at serious risk for identity compromise.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown