DOCUSIGN Leaks PII Private Data to Google!

By
Real Estate Broker/Owner with Northern Virginia Homes - FRANKLY REAL ESTATE Inc

UPDATE on 6/9/2012 Posted at BOTTOM OF Blog Post.


UNEDITED POST FROM 6/7/2012

We all hear about google indexing our sites. Great right? Well NOT if you let Google index the part of your site that has personal data on it. ESPECIALLY if you claim to be a "SECURE" company!

Especially if the front page of your site says "More than 15 million people trust Docusign"

Well now it is more like 14,999,997, and dropping

 

 

I stumbled upon something interesting today.

I was emailing with a user of my site. They said they had a house to list and sell. As part of my "who is this person" I did a Google search on their email (Normally I do my research starting with Rapportive.com , but they were down).

What did I find?

They JUST signed a listing agreement with another broker a couple days ago!

How did I know this? Google had indexed the Docusign page (on httpS, which is just funny since S means Secure, but not secure if Google indexes you).

Docusign was exposing personally identifiable information (see Wikipedia for PII) including allparty names, all party's private email addresses, the name of the contract (such as Purchase for 555 oak, or "listing agreement") and the EXACT GPS location of the parties that signed.

Please flag this or pass this around so your agents hold off on using Docusign until it is fixed (or at elast warn all parties that their info might be exposed). 

Here is an example 

 

Also what else sucks is they leaked the private emails. My email address is not public on ONE website because I hate spam. The way they leaked the email addresses, any spammer can now cultivate the addresses and start spamming you.

 

Want to see if you are on there? 

Here is how:

Google this:

site:http://docusign.net  "YOUREMAIL@YOURDomain.com"           (with quotes)

or

site:http://docusign.net  company name

 

and see what you find. And make sure you click on the CACHED version.

 

I just did a search and found a second friend of mine on there... they will not be happy. 2 so far.

Update: Docusign claims they didn't do anything wrong and that it must be that these 4,000 accounts somehow publicly shared these otherwise private links... Hum. Then why have they suddenly changed how the pages are designed so they are no longer public. You can see see the data on Google Cache.

It was a screw up and they need to contact all 10,000+ people that were effected.

 

Frank B. LLosa- Attorney at Law in NJ 

Broker FranklyRealty.com VA, DC, MD

Owner FranklyMLS.com

 

PS.  Another funny thing. The seller is in computer security. Ironic isn't it!

 

U P D A T E 6/9/2012:  (Agent Genius also wrote a update here Overnight, DocuSign helps customers ensure document security)

Ok, so I got to the bottom of what happened. It is confusing, so if you don't care, don't read this.

What happened was at least 4,000 contracts were posted PUBLICLY (accidentally probably) online. Who posted them? Likely one of the signing parties (not by Docusign). In other words, if 4 people signed the contract, one decided to download the final Docusign signed document or PDF and then they UPLOADED the document to a "cloud" or website. That website was set to PUBLIC. Most probably thought it was a private online storage, we don't know.  

Then Google was able to index these contracts. And in them was a link back to Docusign.net/long-website-address that gave a confirmation of the transaction. That confirmation was therefore available online which had all party's names, private email addresses, contract name and GPS coordinates for the signers.

Bottom line. Did Docusign "do nothing wrong"? Well, here are the things they could have done better and you can decide if it was not wrong to see this coming.

1) A simple "noindex" tag on every private file hosted on Docusign.net. This would have made the results MUCH harder to find and Google would not have indexed them (others might have).

2) Another firewall. This is  the extra security step that they added overnight (see AG blog post). Now those pages that can be seen with one click (which they did in their balance of security and simplicity) now require the viewer to enter in some data before seeing it.

Should they have predicted how a user would use their system? Yes, when you claim to have double and triple audits of security... what you pay for is to find the unexpected like this.

Did they do a good job quickly fixing it?  Yes. 


 

 

 

 

 

close

This entry hasn't been re-blogged:

Re-Blogged By Re-Blogged At
Topic:
Real Estate Technology & Tools
Groups:
Technology
Realtors Against Realtor Spam
Prime Time
ETHICS and the REALTOR
Realtors®
Tags:
cloud fail
privacy

Post a Comment
Spam prevention
Spam prevention
Show All Comments
Rainmaker
170,978
Cindy Hallas
Amerifirst Financial, Inc. - Scottsdale, AZ

Useful and timely info my friend!  This is disturbing to say the least!  Thank you!

 

Jun 07, 2012 03:13 PM #1
Rainer
136,297
Gloria Commiso
Keller Williams - Hermosa Beach, CA
Hermosa Beach

yikes i already kinda dont like the way we have become so inpersonal in the interest of time..but this is not good

Jun 07, 2012 06:02 PM #2
Rainmaker
524,788
Dr. Stacey-Ann Baugh
Century 21 New Millennium - Upper Marlboro, MD
A doctor who makes house calls.

This is incredibly disturbing. Thanks for bringing it to my attention.

Jun 07, 2012 06:08 PM #3
Rainmaker
551,584
Holly Weatherwax
Momentum Realty - Reston, VA
Moving Your Dreams Forward...

This is really, really disturbing. It is always a concern when using on-line services, but Docusign, in particular, is really problematic since contracts & listing agreements contain so much personal information.

Jun 08, 2012 04:03 AM #4
Anonymous
David

That last "explanation" is classic misdirection (some call it lying!). When Google indexes a document, the link will take you back to the location where it was, not some embedded link inside.  

The links in Google took you directly to the docusign.net site, not anything else. The "cloud" or "other website" is not an explanation because all web sites are in the cloud, including docusign's, the one that Google indexed and found this PII.  

Also, how did DocuSign get links to another web site removed from Google?

Also, how did DocuSign "fix" this by introducing an extra authentication step that clearly wasn't there before?

They are just plain hiding the their true failure in this matter. And then blaming their customers! They should be ashamed of their lies, their poor technology and then blaming their customers for their errors.

Aug 30, 2012 02:57 PM #5
Anonymous
a fine fellow

A lot of people bummed out at DocuSign apparently: docusignsucks.com

Jul 23, 2013 04:19 PM #6
Rainmaker
52,476
Amanda Thomas
Providence Group Realty - Plano, TX
Broker, Realtor®, SRES®, BPOR

Now THIS is an example of fine real-estate related invetigative journalism. Way to go with reporting a compromising issue and influencing corrective measures!

Jun 01, 2014 06:35 AM #7
Post a Comment
Spam prevention
Show All Comments
Rainmaker
136,529

FRANK LL0SA Esq.- Northern Virginia Broker .:. FranklyRealty.com

Ask me a question
*
*
*
Spam prevention

Additional Information