Protecting Sensitive Information on Microsoft Docs

Discovering Microsoft Docs.com

Designed to make it easy to share documents built with Office 365, Microsoft’s Docs.com website is an effective tool for those looking to make their work easily accessible to others, making it a useful service for businesses and schools.

However, it’s recently become apparent that many users aren’t completely aware of the scope for sharing that the site includes. Over the weekend, security architect Kevin Beaumont posted about Docs’ search function, which allowed anyone to search through any publicly shared documents on the site - including several which contained sensitive information.

Although the upload screen on Docs lets you choose what visibility to give a document, making it clear that ‘Anyone can find it on the web’, while popping up a confirmation box before publishing, it seems apparent that many have not been aware of exactly how visible their documents would be, with many examples of supposedly secure information being publicly available.

By searching for ‘password’, as an example, it was possible to find several hundred documents, many of which included security-critical or highly personal information, potentially giving malicious users access to systems and information which shouldn’t be accessible by anyone outside the organisation in question.

While Microsoft initially took down the search function on Docs, it’s recently been returned to the site, leaving it unclear whether there’ll be a permanent design change. In addition, there’s another level of visibility involved here - many documents have been indexed by search engines, which means that it’s possible to see some content from them using Google or Bing.

Securing Publications on Microsoft Docs

If you’ve published anything publicly on Docs, it’s worth considering that the documents may be visible by anyone - not just those who were meant to see them. It’s possible to check and change visibility settings through the site, and we’d recommend doing that if you’ve published anything potentially sensitive.

To check and change the visibility of documents, log into the site - you’ll be taken to your homepage, with a list of the documents that you’ve published. Click on the three dots in the upper right corner, and select edit.

Along with other information, you’ll see the document’s visibility - if it’s Public on the web, you can click and change to Limited to ensure that only authorised users can view the piece. However, there’s no password required to view the documents - a potential security issue, even though it’s infinitely more secure than keeping files public.

As such, we wouldn’t necessarily recommend using Docs to store particularly private data - it’s not designed for this. The service is ideal if you’re actually looking to share documents publicly, or if you’re privately sharing documents which could be made public without any negative effect. Systems actively designed for secure document sharing typically allow you to apply extra security factors - passwords, for example.