Special offer
Home > Blogs > FRANK LL0SA Esq.- Northern Virginia Broker .:. FranklyRealty.com > FRANKLY Real Estate Blog
bookmark_border

DOCUSIGN Leaks PII Private Data to Google!

By
Real Estate Broker/Owner with Northern Virginia Homes - FRANKLY REAL ESTATE Inc

UPDATE on 6/9/2012 Posted at BOTTOM OF Blog Post.


UNEDITED POST FROM 6/7/2012

We all hear about google indexing our sites. Great right? Well NOT if you let Google index the part of your site that has personal data on it. ESPECIALLY if you claim to be a "SECURE" company!

Especially if the front page of your site says "More than 15 million people trust Docusign"

Well now it is more like 14,999,997, and dropping

 

 

I stumbled upon something interesting today.

I was emailing with a user of my site. They said they had a house to list and sell. As part of my "who is this person" I did a Google search on their email (Normally I do my research starting with Rapportive.com , but they were down).

What did I find?

They JUST signed a listing agreement with another broker a couple days ago!

How did I know this? Google had indexed the Docusign page (on httpS, which is just funny since S means Secure, but not secure if Google indexes you).

Docusign was exposing personally identifiable information (see Wikipedia for PII) including allparty names, all party's private email addresses, the name of the contract (such as Purchase for 555 oak, or "listing agreement") and the EXACT GPS location of the parties that signed.

Please flag this or pass this around so your agents hold off on using Docusign until it is fixed (or at elast warn all parties that their info might be exposed). 

Here is an example 

 

Also what else sucks is they leaked the private emails. My email address is not public on ONE website because I hate spam. The way they leaked the email addresses, any spammer can now cultivate the addresses and start spamming you.

 

Want to see if you are on there? 

Here is how:

Google this:

site:http://docusign.net  "YOUREMAIL@YOURDomain.com"           (with quotes)

or

site:http://docusign.net  company name

 

and see what you find. And make sure you click on the CACHED version.

 

I just did a search and found a second friend of mine on there... they will not be happy. 2 so far.

Update: Docusign claims they didn't do anything wrong and that it must be that these 4,000 accounts somehow publicly shared these otherwise private links... Hum. Then why have they suddenly changed how the pages are designed so they are no longer public. You can see see the data on Google Cache.

It was a screw up and they need to contact all 10,000+ people that were effected.

 

Frank B. LLosa- Attorney at Law in NJ 

Broker FranklyRealty.com VA, DC, MD

Owner FranklyMLS.com

 

PS.  Another funny thing. The seller is in computer security. Ironic isn't it!

 

U P D A T E 6/9/2012:  (Agent Genius also wrote a update here Overnight, DocuSign helps customers ensure document security)

Ok, so I got to the bottom of what happened. It is confusing, so if you don't care, don't read this.

What happened was at least 4,000 contracts were posted PUBLICLY (accidentally probably) online. Who posted them? Likely one of the signing parties (not by Docusign). In other words, if 4 people signed the contract, one decided to download the final Docusign signed document or PDF and then they UPLOADED the document to a "cloud" or website. That website was set to PUBLIC. Most probably thought it was a private online storage, we don't know.  

Then Google was able to index these contracts. And in them was a link back to Docusign.net/long-website-address that gave a confirmation of the transaction. That confirmation was therefore available online which had all party's names, private email addresses, contract name and GPS coordinates for the signers.

Bottom line. Did Docusign "do nothing wrong"? Well, here are the things they could have done better and you can decide if it was not wrong to see this coming.

1) A simple "noindex" tag on every private file hosted on Docusign.net. This would have made the results MUCH harder to find and Google would not have indexed them (others might have).

2) Another firewall. This is  the extra security step that they added overnight (see AG blog post). Now those pages that can be seen with one click (which they did in their balance of security and simplicity) now require the viewer to enter in some data before seeing it.

Should they have predicted how a user would use their system? Yes, when you claim to have double and triple audits of security... what you pay for is to find the unexpected like this.

Did they do a good job quickly fixing it?  Yes. 


 

 

 

 

 

Show All Comments
Cindy Hallas
Amerifirst Financial, Inc. - Scottsdale, AZ
Sr. Mortgage Loan Originator NMLS # 334571

Useful and timely info my friend!  This is disturbing to say the least!  Thank you!

 

Jun 07, 2012 08:13 AM
Gloria Commiso
Keller Williams - Hermosa Beach, CA
Hermosa Beach

yikes i already kinda dont like the way we have become so inpersonal in the interest of time..but this is not good

Jun 07, 2012 11:02 AM
Dr. Stacey-Ann Baugh
Century 21 New Millennium - Upper Marlboro, MD
A doctor who makes house calls.

This is incredibly disturbing. Thanks for bringing it to my attention.

Jun 07, 2012 11:08 AM
Holly Weatherwax
Associate Broker, Momentum Realty - Reston, VA
A Great Real Estate Experience

This is really, really disturbing. It is always a concern when using on-line services, but Docusign, in particular, is really problematic since contracts & listing agreements contain so much personal information.

Jun 07, 2012 09:03 PM
Anonymous
David

That last "explanation" is classic misdirection (some call it lying!). When Google indexes a document, the link will take you back to the location where it was, not some embedded link inside.  

The links in Google took you directly to the docusign.net site, not anything else. The "cloud" or "other website" is not an explanation because all web sites are in the cloud, including docusign's, the one that Google indexed and found this PII.  

Also, how did DocuSign get links to another web site removed from Google?

Also, how did DocuSign "fix" this by introducing an extra authentication step that clearly wasn't there before?

They are just plain hiding the their true failure in this matter. And then blaming their customers! They should be ashamed of their lies, their poor technology and then blaming their customers for their errors.

Aug 30, 2012 07:57 AM
#5
Anonymous
a fine fellow

A lot of people bummed out at DocuSign apparently: docusignsucks.com

Jul 23, 2013 09:19 AM
#6
Amanda Thomas
Providence Group Realty - Plano, TX
​Broker, SRES®, BPOR, MCNE, ​Certified DRS Agent™

Now THIS is an example of fine real-estate related invetigative journalism. Way to go with reporting a compromising issue and influencing corrective measures!

May 31, 2014 11:35 PM
Back to Top
Rainmaker
138,917

FRANK LL0SA Esq.- Northern Virginia Broker .:. FranklyRealty.com

Profile
Blog
local_phone(703) 827-4006
Contact The Author

Real Estate Resources

Additional Information

What's the reason you're reporting this blog entry?

Are you sure you want to report this blog entry as spam?