Buzzfeed has reported a possible flaw in Office 365 whereby files are uploaded publicly by default rather than privately to docs.com, which just so happens to have a search function. IT security experts from FireMon, Comparitech, Synopsys and Alert Logic commented below.

Paul Calatayud, Chief Technology Officer at FireMon:

paul-calatayudThis is a good example of awareness when it comes to using cloud applications. Many people do not read the fine print when it comes to “free”. In past cases, I recall one company providing free photo storage only to later be discovered  that  by using that service you were also handing rights over to the photo to the hosting company. Point is, read the fine print if you are deciding to use free services to support important files. Microsoft should also change the default setting to private or remind people when they are sending data with the public setting on what the implication of that fully is.

In the end if both parties who have responsibility both in what information you decide to share and the service properly informing you one can make an informed decision.

Lee Munson, Security Researcher at Comparitech:

Lee Munson“Just about everyone has a need to create, share or access documents, either through work or at home, and one of the most efficient ways of doing that is using Microsoft 365 products and an online storage platform.

The news that documents uploaded to Docs.com are publically available by default, however, should send shudders down its users’ spines.

Though the buck should stop with anyone negligent enough to upload sensitive information to a service without first checking its security and privacy policies, the approach taken here by Microsoft is, perhaps, not ideal.

Though the company now warns people before they upload new content, it is already too late for anyone who has already inadvertently shared their passwords, national insurance number or other personally identifiable information.

Anyone who has made that faux pas should check credit reports where financial information has been shared and change any compromised passwords immediately.

In the future, anyone uploading content to a cloud service should conduct due diligence in advance and preferably choose a service with encryption baked in, or roll their own.”

Mike Ahmadi, Global Director-Critical Systems security at Synopsys:

mike-ahmadi “This is a perfect example of how users of software and software services have to be fully aware of the risk before diving in.  Software companies that provide these software and services exempt themselves from all liability associated with such failures to protect by simple stating they are not liable in the EULA that we must all agree to when we choose to use the products, and the general public is left as the eternal beta tester.  Any attempt to change this situation to one of shared liability is forcefully shut down by a software industry that is indeed quite content with their zero liability for software bugs status.  Some may argue that software companies do indeed act in a responsible manner, and Microsoft is indeed an organisation that does take security very seriously, but everyone makes mistakes and in such cases the software company is not held accountable.  This really needs to change to a more equitable model.”

Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:

oliver-pinson-roxburgh“Yes it is really concerning and vendors do need to help people to make good decisions. By default these sorts of systems need to be made public by explicit request rather that public by default. But having been in the security industry for 15 years we need people to be more diligent themselves and aware of security the implications their actions rather than blindly share information its good a little paranoid especially with your sensitive.