Microsoft Office 365 vulnerability exposed thousands of sensitive files via search.
Over the weekend, security researcher Kevin Beaumont publicized a major Microsoft Office 365 vulnerability exploitable via docs.com – a Microsoft website used for sharing files from Office 365.
The website allowed public sharing of documents – and it had an in-text search function right on the homepage.
This meant you could search terms like:
- and more!
And easily get pages of documents containing private information that users inadvertently shared online. Oops!
Thousands of documents from both individuals and businesses were (and continue to be) one search away. A hotel had shared a list of their frequent guests with account numbers and data about their most recent stay. Individuals had shared applications for colleges and loans, bank statements, and medical documents. Spreadsheets from membership organizations contained hundreds of rows listing full names, addresses, and even bank account numbers.
There was more than enough information here to steal someone’s identity or gain access to their accounts. This Microsoft Office 365 vulnerability has been exploited for months, but was not well known until now.
It’s clear that many of these documents were intended to be shared via link in an email or IM – and the users were unaware that their document had also been made available to anyone in the world searching on Docs.com.
The feature was designed to make it easy to share documents within an organization or with outside parties – similar to sharing features available with Google Docs or Dropbox. But clearly, Microsoft designed theirs poorly.
If you chose to share a document, the default settings were to do so publicly. While Office 365 tried to make this clear through a dialog box, this is yet again a demonstration of the importance of secure defaults.
Users will click through warnings to accomplish what they want – which is why such a risky feature needs to be explicitly chosen by the user, instead of chosen for them and then lazily justified by throwing more “Click to continue” and “Warning” notices at them.
Given Microsoft’s experience with data security – it operates a huge enterprise sector after all – it’s shocking that it put such little consideration into such a tool.
At first, Microsoft removed the search functionality – but that was hardly a fix for the problem. Documents could still be viewed by anyone if you had the direct link, and because they were public, they had been indexed and archived by search engines.
Inexplicably, and without a statement from Microsoft, the search function has now returned. While it appears that many of the sensitive files are now gone (or at least harder to find), you can still find passwords, government ID numbers, and various other private information within a few minutes.
Now, some journalists and researchers are trying to reach out to affected individuals, who need to know that they are at serious risk for identity compromise.