The Information Leak in The Online Collaboration Sink

Posted by Lior Weinstein on Monday, Dec 11th, 2006
Category : Uncategorized

Learn why information leaks in online collaboration applications are important to you

Earlier, I promised that I would look into online collaboration tools. I started looking into Zoho, Google Docs & Spreadsheets, Thinkfree and others. I was a bit worried that these services created an opening for security violations.

What I found was downright scary. People use online collaboration tools to document the most damaging private and commercial information and leave this information in a public folder or URL for the entire world to see.

The tech industry speaks as though the security and privacy problems inherent in collaboration and Web 2.0 software were merely a theoretical problem. My intention here is to show that this problem is very real. I will also suggest a solution.

Here are some of the things I found (note: I blacked out personal data):

Samples of personal medical information leaks

I’m pretty sure that recipient of the following letter is not aware that the details of his orthopedic appointment have been published on the Internet.

Private Medical Information - 1
The following image was taken from a 13-page list of daily admissions to an ICU. It probably was posted by a nurse or doctor who wanted to share information about a patient with a colleague. The unfortunate side effect was the exposure of enormous amounts of private medical data to anyone with a browser.

Personal medical information - 2

Samples of personal employment information leaks

This Best Buy employee decided to go to school and resign from Best Buy. That’s not such a big deal, but if I was a master spear phisher, I could use the information to my advantage.

Personal Employment Data - 1
The same goes for this XILINX employee. These are just two examples of countless personal and corporate documents that contain data that can be used for spear phishing. Perhaps we should call it spear phishing 2.0: fraud based on information found in Web 2.0 apps.

Personal Employment Information Leak - 2

Samples of personal and corporate financial information leaks

The following claims form was filled in with every kind of personal financial information about Mr. S. Using this to perform identity theft is a piece of cake.

Financial Information Leak - 1
Ironically, this next example was taken from a status letter sent by a VC that invests in Web 2.0 and online collaboration to its limited partners. It was a very interesting read, with much financial data.

Financial Information Leak - 2

The mother of all leaks – Passwords galore

For all you techies who are thinking, “Heh heh, stupid users, putting all their private data on the Web,” here are some techie-generated documents. I actually logged into the accounts shown in the next documents.

Leaked Passwords - 1
Leaked Password - 2

How big is the problem of information leaks?

After we checked some 1,500 documents that had been created by online collaboration tools and published on the internet (without any access restrictions), two facts emerged:

  • The probability that users will leak confidential information is inversely proportional to the ease with which users can share information in any given tool.
  • Between 0.5 percent and 5 percent of all information published by online collaboration tools is confidential and, if it falls into the wrong hands, potentially harmful. (One of the services that I checked had about 25 “leaking” documents out of just over 500 public documents checked.)

Percent of dangerous information leaked

Why information leaking could spell the end of online-collaboration tools

Corporations are terrified of information leaks. Information leaks such as the ones we’ve discussed make the company a target for litigation, pave the way to commercial espionage, and may help expose weaknesses in the company or its management.

Once this problem becomes known, corporations will act swiftly and decisively and block their users from accessing online-collaboration tools. Since corporations are the target market for online-collaboration vendors, getting blocked by corporations is very bad news.

How can information leaking be prevented?

The problem can be solved by not allowing users to publish “open to all” documents. Just don’t allow users to publish documents on the Internet on a publicly accessible URL. This is a painful act, since it decreases the productivity gain offered by online-collaboration tools, but it is necessary for those tools that wish to survive.

One more thing

All the tools I checked were amazing–easy to use, fast and skillfully designed. In fact, the high quality of these tools attracted all these users and led to the information leaks.

Latest From Our Blog