Microsoft axed Docs.com search option after private files were shared publicly

Docs.com, Microsoft’s site that is described as “showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway and PDF document for free,” came under fire over the weekend as Twitter users started complaining that users of the site had inadvertently shared private and sensitive information with the world.

The site had a search functionality that would allow anyone to search through millions of files. When some users uploaded private information, they did not change the permissions from the default setting to share content publicly. Yet after people started tweeting screenshots of sensitive information, Microsoft quietly removed the search functionality on Saturday.

When Microsoft announced the relaunch of Docs.com in 2015, the service was said to be very search-engine friendly. That feature meant that even after Microsoft removed the search functionality from Docs.com, the files could still be found because they had been cached by Bing and Google.

Microsoft previously said, “Docs.com is typically used to share information publicly and make it easily discoverable by search engines.” But in November 2016, the company tried to “make sure that Office 365 customers are fully aware of the benefits and risks of using the service.”

It was Microsoft’s attempt to ensure organizations’ security and privacy via the addition of an “organization visibility” feature. Users would see the share content publicly permission “at least twice” before manually confirming that content would “appear on the internet and in search engines.”

Before work and school account users could share information publicly, their Office 365 Tenant Administrator of record had to “opt-in” on behalf of the school or work organization. “Opting in” meant “that any user will be able to sign-in into Docs.com with their work or school account and use it to share content with people using one of the following categories: Organization: Sharing only with signed in users from the same organization; Limited: Sharing a link that is not exposed to search engines by Docs.com but can be viewed by anyone who knows the link URL; Public: Sharing openly including with search engines.”

Docs.com default upload setting is public

The options were not the same for regular users who were not part of an organization. For example, Twitter user @TinkerSec said Docs.com was leaking personally identifiable information such as divorce settlement agreements, loan applications, custody agreements, birth certificates and social security numbers. Others claimed they found password lists, credit card statements, driver’s license numbers and more. Even though Microsoft said users could choose who views their files, it’s doubtful any user would purposely set out to make such things publicly accessible.

ZDNet reported, “All of the documents would have been uploaded by the owner, but may not have realized that each document could be made public, which is Docs.com’s default uploading setting, say compared to files created or edited with Word and Excel Online, which are private until set otherwise.”

Microsoft told ZDNet it “was ‘taking steps to help those who may have inadvertently published documents with sensitive information’ and advised users to review and update their settings by logging into their account.”