Zoho Writer flaw highlights disclosure problem in Web 2.0 world

CNET News.com's Martin LaMonica recently stumbled upon on an information disclosure vulnerability in Zoho Writer,  the browser-based word processing software popular among Web 2.0 early adopters. The raw details:

On Sunday morning, I went up to my Zoho Writer page and searched on "soccer." The results included two of my documents, but also seven others created by people I didn't know. I reported the incident to a Zoho technology evangelist, who swiftly escalated the issue to the company's engineering team. After a few correspondences, the Zoho team identified the bug and fixed it. ...To Zoho's credit, its people apologized and clearly recognized the seriousness of the bug. The problem came up because of a situation that's not likely to come up often. But it does give me pause. Did somebody else stumble upon my documents?

This story raises a serious issue about disclosure ethics in a Web 2.0 world, where vulnerabilities are silently fixed without end users ever knowing about their exposure to serious risk.    What if one of LaMonica's documents stored in Zoho contained personally identifiable information that could be used to steal his identity?   What if someone with malicious intent had already found that that vulnerability and was using it to pilfer documents? We'll never know the answer to those questions but, in my mind, companies that operate in the data storage business have a responsibility to notify end users when vulnerabilities are found and fixed I took at peek at the official Zoho Writer blog and found only marketing-type entries.  No disclosure or notice to Zoho users. Zoho is not alone with this problem.  Microsoft and Google routinely fix bugs -- some very serious -- in online services but,  because the fix is done server side and doesn't include a patch to be downloaded/installed, vulnerability alerts are never published and the end user is none the wiser. [ READ: GMail backdoor patched, time to check your filters ] We already have documented evidence that a silent fix from Google for a major GMail vulnerability was used to sabotage the business of David Airey, a popular logo designer. In this blog entry, Airey details how he fell victim to a Gmail hijack that could have been avoided if Google had provided an alert to Gmail users during the sign-in process. We know that Microsoft fixes vulnerabilities in online services because the company maintains an acknowledgments page to thank flaw finders but the nature of those bugs -- and the associated risks -- are never, ever disclosed.   Did any of those bugs expose Windows Live usernames/passwords?  Should Windows Live users take any post-fix precautions to secure their online identities?  Did any of those vulnerabilities expose users to code injection or drive-by malware downloads? Malicious hackers are looking for -- and finding -- these vulnerabilities before the good guys so it's a very safe assumption that some of these  bugs have been used in zero-day attacks before server-side fixes are made. Vendors in the Web 2.0 space have a responsibility to disclose fixes to end users.   If your online service participates in silent fixes, you should be aware of the risks and make demands from these vendors. [ UPDATE:  Less than an hour after I hit publish on this post, Zoho posted a notice on its blog disclosing the issue:

We enabled a new indexer for searching group related documents on Saturday. As with search related features, the indexer was supposed to index over several days before the feature was officially unveiled. Unfortunately, we introduced a crucial bug in the new search system, which impacted one of our users on Sunday. The search results included 4 documents from other users (shared to their own unrelated groups). As soon as we got notified, we stopped the search subsystem and started a full investigation, which unearthed the bug in 3 hours.

We fixed the issue immediately after the root cause was identified.

I think the company should go a step further and put a link to this disclosure immediately after a user logs in, just to be 100% sure that customers are fully aware of what happened.