The information leak in the online collaboration sink

Learn why information leaks in online collaboration applications are important to you

Earlier, I promised that I would look into online collaboration tools. I started looking into Zoho, Google Docs & Spreadsheets, Thinkfree and others. I was a bit worried that these services created an opening for security violations.

What I found was downright scary. People use online collaboration tools to document the most damaging private and commercial information and leave this information in a public folder or URL for the entire world to see.

The tech industry speaks as though the security and privacy problems inherent in collaboration and Web 2.0 software were merely a theoretical problem. My intention here is to show that this problem is very real. I will also suggest a solution.

Here are some of the things I found (note: I blacked out personal data):

Samples of personal medical information leaks

I’m pretty sure that recipient of the following letter is not aware that the details of his orthopedic appointment have been published on the Internet.

Private Medical Information - 1

The following image was taken from a 13-page list of daily admissions to an ICU. It probably was posted by a nurse or doctor who wanted to share information about a patient with a colleague. The unfortunate side effect was the exposure of enormous amounts of private medical data to anyone with a browser.


Personal medical information - 2

Samples of personal employment information leaks

This Best Buy employee decided to go to school and resign from Best Buy. That’s not such a big deal, but if I was a master spear phisher, I could use the information to my advantage.

Personal Employment Data - 1

The same goes for this XILINX employee. These are just two examples of countless personal and corporate documents that contain data that can be used for spear phishing. Perhaps we should call it spear phishing 2.0: fraud based on information found in Web 2.0 apps.

Personal Employment Information Leak - 2

Samples of personal and corporate financial information leaks

The following claims form was filled in with every kind of personal financial information about Mr. S. Using this to perform identity theft is a piece of cake.

Financial Information Leak - 1

Ironically, this next example was taken from a status letter sent by a VC that invests in Web 2.0 and online collaboration to its limited partners. It was a very interesting read, with much financial data.

Financial Information Leak - 2

The mother of all leaks - Passwords galore

For all you techies who are thinking, “Heh heh, stupid users, putting all their private data on the Web,” here are some techie-generated documents. I actually logged into the accounts shown in the next documents.

Leaked Passwords - 1

Leaked Password - 2

How big is the problem of information leaks?

After we checked some 1,500 documents that had been created by online collaboration tools and published on the internet (without any access restrictions), two facts emerged:

Percent of dangerous information leaked

Why information leaking could spell the end of online-collaboration tools

Corporations are terrified of information leaks. Information leaks such as the ones we’ve discussed make the company a target for litigation, pave the way to commercial espionage, and may help expose weaknesses in the company or its management.

Once this problem becomes known, corporations will act swiftly and decisively and block their users from accessing online-collaboration tools. Since corporations are the target market for online-collaboration vendors, getting blocked by corporations is very bad news.

How can information leaking be prevented?

The problem can be solved by not allowing users to publish “open to all” documents. Just don’t allow users to publish documents on the Internet on a publicly accessible URL. This is a painful act, since it decreases the productivity gain offered by online-collaboration tools, but it is necessary for those tools that wish to survive.

One more thing

All the tools I checked were amazing–easy to use, fast and skillfully designed. In fact, the high quality of these tools attracted all these users and led to the information leaks.

Posted on December 11, 2006 by Yoav Ezer 
Filed Under Collaboration, Google, Office 2.0

Comments

47 Responses to “The information leak in the online collaboration sink”

  1. Sridhar Vembu on December 12th, 2006 9:59 am

    Yoav,
    Thank you for an excellent post. We at Zoho take this issue seriously - indeed, the default setting for any document at Zoho is private, and users have to explicitly make a document public in order for it to be public.

    The solution you suggest (not allow anyone to make their document public) is too draconian though. As an example, we ourselves have published help documentation (see http://writer.zoho.com/public/zohoprojects/Table-Of-Contents/noband ) that is authored in Zoho Writer, and published to the world. Prohibiting such perfectly valid use cases could be a huge productivity loss.

    To an extent, this kind of difficulty is present in any website that allows users to upload content. It is all too easy to cut and paste an email and post it as a comment in a blog, for example. And it is easy to upload an internal or private video in a video sharing site (as it happened to Bank of America recently).

    A couple of approaches we could consider: a) give an explicit warning to users that making a documement public means it could be indexed by search engines and could live on forever in public archives, and asking them to confirm if they really want to make it public and b) give a public, but unguessable URL to the user, and require a second confirmation to actually show the URL in any kind of index. With the second option, a document is public, but it won’t be shown in any kind of public listing, and the URL would have to be manually copied and circulated by the user. A second confirmation would be needed to publish it to a listing so that search engines can find this URL.

    Sridhar

  2. Yoav Ezer on December 12th, 2006 3:44 pm

    Hi Sridhar,

    After browsing about 1500 created in online collaboration tools, I have to disagree about the extent of the productivity loss. Maybe 98% of all documents were either created for personal use or for sharing with a specific group of people.

    Of the 2% which were meant for public use some were blatantly illegal (such as a username and password for a paid online book which a teacher wanted his students to read), While others were harmless.

    But the more significant issue (IMO) is the damage that can be caused to your company and the company of the user. Some of the documents that I mentioned can be used as a basis for a multi-million dollar lawsuit.

    If you feel that you must keep the online publishing feature, then I suggest that you notify the user (in big bold letters), that he may be publishing private/commercial information that can cause damage to him or the company he works for, and that you (Zoho) are not responsible in anyway for whatever harm the publishing of this content may cause him or others.

    Using the unguessable URL and maybe using robots.txt are good precautions, but informing the user of the dangers in online publishing is crucial.

    -Yoav

    P.S.

    I loved your product

  3. Update on a Zoho Post - simplerich - ~ an open letter to you and the www ~ on December 13th, 2006 10:14 pm

    [...] Earlier this week I talked about zoho not being vulnerable to the annoying microsoft bug that had no patch. Saasafras, see how easy it is to make an attribution Saasafras? It didn’t hurt or anything, made a post saying I’d said zoho was safer than offline alternatives and used my post as evidence. Saasafras then went on to talk about something completely unrelated to my point, that zoho wasn’t vulnerable to the microsoft zero day problem, and discuss a post about files shared over the internet as being insecure. Well, DUH. A HUGELY important quote from the mentioned article: People use online collaboration tools to document the most damaging private and commercial information and leave this information in a public folder or URL for the entire world to see. [...]

  4. Vimal Thakkar on December 14th, 2006 5:47 pm

    Really good information!

    Could you please let me know how did you mine so much info?

  5. Yoav Ezer on December 14th, 2006 7:24 pm

    Hi Vimal,

    Thanks for the compliment.

    Just go to google and use the search operator site:subdomain.nameofcompany.com

    for instance, try searching for…

    site:docs.google.com

    and click on the “repeat the search with the omitted results included.” link.

  6. Security of online collaboration tools - simplerich - ~ an open letter to you and the www ~ on December 15th, 2006 12:36 am

    [...] There’s some buzz in the blogosphere about the insecurity of some online collaboration tools that seems to center around some research done by Yoav on his blog. He discovered, with relative ease, that a lot of people are using the PUBLISH option of several popular online collaborative tools (like zoho and/or google spreadsheets) instead of sharing them with specific people. He’s unearthing medical records, and personal data that the USER put out there on the net through their own ignorance. We (Yoav and I) both agree the user did something wrong here. I think an attorney and judges would agree as well if they got their collective behinds sued for being careless with medical records in at least one case. [...]

  7. PDF to Excel conversion and other stuff » Zoho removes demo account from home page on December 19th, 2006 4:56 pm

    [...] In a previous post, I mentioned an inherent security problem with online collaboration tools. The quickest to respond was Zoho. First, Zoho commented on the post. It then removed the demo account from their home page (a no-login account which allowed users to test their product). [...]

  8. Zoho Blogs on January 9th, 2007 1:24 pm

    A little conversation at this end of the blogosphere

    There has been lots of examples of companies ignoring users getting punished in the long run. And with the proliferation of blogs, the reaction’s much more immediate.
    Thanks to gurus and blogging evangelists like Robert Scoble, Steve Rubel, Seth …

  9. Listening to Customers - simplerich - ~ an open letter to you and the www ~ on January 9th, 2007 5:46 pm

    [...] Zoho, my online document tool of choice for both .doc files and spreadsheet files is also in the habit of listening to their customers, and we don’t even pay them anything. A while back there was a bit of a dust-up over the security and privacy of online document tools. Zoho representatives were in all the threads about it that I saw reading and responding, and, more importantly, addressing the concerns of those involved. It wasn’t just a PR thing where they posted a little “Thanks for the heads up; we’re looking into it, keep buying Product X!” thing by an advertising guy. It actually affected change that was implemented in the product. Zoho listened to their customers. [...]

  10. jackdoef on April 18th, 2007 5:09 pm

    Good work!

  11. Alex on April 25th, 2007 12:07 pm

    Thank You

  12. Yoav Ezer on April 25th, 2007 2:28 pm

    Hi Alex,

    My Pleasure

  13. Nico on May 21st, 2007 8:59 pm

    Cool…

  14. Bill on May 31st, 2007 3:54 pm

    MSN I NIIPET
    MSN

  15. Lambro on June 14th, 2007 8:17 am

    interesting

  16. online tartrate ambien on July 3rd, 2007 7:59 pm

    shipping online ambien online samples ambien

  17. Panayotis on July 9th, 2007 8:56 pm

    Cool…

  18. Panagiote on July 10th, 2007 4:25 am

    Nice

  19. Alekos on July 10th, 2007 4:26 am

    Cool!

  20. Giorgos on July 11th, 2007 2:03 am

    Sorry :(

  21. Odysseus on July 11th, 2007 4:22 am

    Nice…

  22. medium psychic american on December 22nd, 2007 3:33 am

    jersey medium psychic medium north psychic

  23. liza on March 6th, 2008 9:06 pm

    great work man thx

  24. Leah on April 5th, 2008 8:50 pm

    Projjex.com is a great new site that does a fabulous job of collaboration. It’s completely browser-based, really easy to use, and has a free version. Cool videos too - I love it!

  25. john holmes porn star movies on November 14th, 2008 1:48 am

    comment2, addiction pornography symptom, 92393,

  26. lollipops porn on November 14th, 2008 3:58 am

    comment3, bareback bush fetches gay porn, =-]],

  27. poze porn gratuit on November 14th, 2008 8:12 am

    comment2, gagagogo porn, slnxnt,

  28. name on November 21st, 2008 2:28 am

    comment5,

  29. name on November 21st, 2008 8:05 am

    comment4,

  30. pippa funnell 2 no-cd patch on December 6th, 2008 7:07 am

    My site is great, diablo ii patch 1.11, 088100,

  31. stranglehold patch for pc on December 6th, 2008 5:29 pm

    Sorry for my post, clinton county pa sheriff patch, :),

  32. eu patch on December 6th, 2008 8:00 pm

    Hello, thx for all, crazy nine patch quilt, oqt,

  33. Vfzpsadg on December 27th, 2008 2:40 am

    Privet,

  34. Nxrumcky on January 4th, 2009 7:49 am

    Hi, good site, http://www.kaboodle.com/tube8 tube8 teen fuck movie, kjic,

  35. airfare on January 4th, 2009 7:54 pm

    cheap student airfares

  36. name on January 5th, 2009 9:55 am

    Sorry for my post,

  37. name on January 5th, 2009 12:04 pm

    Soft,

  38. cheap international airfare on January 8th, 2009 4:56 am

    Hi, good site, cheap last minute airfares, 866,

  39. micronion on January 11th, 2009 11:49 pm

    http://www.kaboodle.com/micronion

  40. kerolisa on January 12th, 2009 5:14 am

    http://www.kaboodle.com/kerolisa

  41. pornhub on January 16th, 2009 3:40 pm

    gay pornhub

  42. pornhub on January 16th, 2009 5:35 pm

    pornhub download

  43. alpha porno on January 25th, 2009 10:35 am

    Sorry for my post, freedom tube, 8OO,

  44. redtube big tits on February 28th, 2009 10:51 am

    Privet, tube8 teen porn movie, 903231,

  45. you porn beta on February 28th, 2009 2:24 pm

    Hi, visit my link please, tube8 teen porn movie, 680620,

  46. 8 eight tube8 movies ncx on March 1st, 2009 8:20 am

    Hi, good site, youporn cocks, 269,

  47. netsearchworld.com on May 26th, 2009 5:09 am

    And who does not wish to pay for a hosting, is urgent here - the best free web hosting!

Leave a Reply