UPDATE on 6/9/2012 Posted at BOTTOM OF Blog Post.
UNEDITED POST FROM 6/7/2012
We all hear about google indexing our sites. Great right? Well NOT if you let Google index the part of your site that has personal data on it. ESPECIALLY if you claim to be a "SECURE" company!
Especially if the front page of your site says "More than 15 million people trust Docusign"
Well now it is more like 14,999,997, and dropping
I stumbled upon something interesting today.
I was emailing with a user of my site. They said they had a house to list and sell. As part of my "who is this person" I did a Google search on their email (Normally I do my research starting with Rapportive.com , but they were down).
What did I find?
They JUST signed a listing agreement with another broker a couple days ago!
How did I know this? Google had indexed the Docusign page (on httpS, which is just funny since S means Secure, but not secure if Google indexes you).
Docusign was exposing personally identifiable information (see Wikipedia for PII) including allparty names, all party's private email addresses, the name of the contract (such as Purchase for 555 oak, or "listing agreement") and the EXACT GPS location of the parties that signed.
Please flag this or pass this around so your agents hold off on using Docusign until it is fixed (or at elast warn all parties that their info might be exposed).
Here is an example
Also what else sucks is they leaked the private emails. My email address is not public on ONE website because I hate spam. The way they leaked the email addresses, any spammer can now cultivate the addresses and start spamming you.
Want to see if you are on there?
Here is how:
Google this:
site:http://docusign.net "YOUREMAIL@YOURDomain.com" (with quotes)
or
site:http://docusign.net company name
and see what you find. And make sure you click on the CACHED version.
I just did a search and found a second friend of mine on there... they will not be happy. 2 so far.
Update: Docusign claims they didn't do anything wrong and that it must be that these 4,000 accounts somehow publicly shared these otherwise private links... Hum. Then why have they suddenly changed how the pages are designed so they are no longer public. You can see see the data on Google Cache.
It was a screw up and they need to contact all 10,000+ people that were effected.
Frank B. LLosa- Attorney at Law in NJ
Broker FranklyRealty.com VA, DC, MD
Owner FranklyMLS.com
PS. Another funny thing. The seller is in computer security. Ironic isn't it!
U P D A T E 6/9/2012: (Agent Genius also wrote a update here Overnight, DocuSign helps customers ensure document security)
Ok, so I got to the bottom of what happened. It is confusing, so if you don't care, don't read this.
What happened was at least 4,000 contracts were posted PUBLICLY (accidentally probably) online. Who posted them? Likely one of the signing parties (not by Docusign). In other words, if 4 people signed the contract, one decided to download the final Docusign signed document or PDF and then they UPLOADED the document to a "cloud" or website. That website was set to PUBLIC. Most probably thought it was a private online storage, we don't know.
Then Google was able to index these contracts. And in them was a link back to Docusign.net/long-website-address that gave a confirmation of the transaction. That confirmation was therefore available online which had all party's names, private email addresses, contract name and GPS coordinates for the signers.
Bottom line. Did Docusign "do nothing wrong"? Well, here are the things they could have done better and you can decide if it was not wrong to see this coming.
1) A simple "noindex" tag on every private file hosted on Docusign.net. This would have made the results MUCH harder to find and Google would not have indexed them (others might have).
2) Another firewall. This is the extra security step that they added overnight (see AG blog post). Now those pages that can be seen with one click (which they did in their balance of security and simplicity) now require the viewer to enter in some data before seeing it.
Should they have predicted how a user would use their system? Yes, when you claim to have double and triple audits of security... what you pay for is to find the unexpected like this.
Did they do a good job quickly fixing it? Yes.
Comments(7)