November turned bad for Microsoft & Instagram!

Data breach is a major player when it comes to causing financial as well as reputational losses to a business. With the implementation of laws such as GDPR and a plethora of privacy debates going across the globe, unethical data collection or poor coding practices are the new players in the town. In the last two weeks, Microsoft and Instagram have been in the news – one for collecting MS Office user data while other for displaying passwords in the plain text. This post will discuss both these incidents and their significance.

Microsoft violates GDPR

Dutch authorities have found out that Microsoft has violated GDPR on a large scale by collecting personal data in ProPlus subscriptions of Office 2016 and Office 365. This data collection has been entirely covert and there has been no disclosure of such data collection to the users.[1] It was possible due to Microsoft’s telemetry data collection mechanism which is a built-in feature and it collects data such as email subject lines, sentences contained in the documents scanned by translation and spell checker tools of Microsoft.

Dutch authorities have outlined a total of eight issues in the said version of above-mentioned subscriptions. To further worsen the situation, there is neither any official documentation of data collection nor any way to turn it off.  This incident has also concerned the Dutch government as MS Office is used on more than 300,000 computers and there is a definite possibility of government-related data ending up on the servers in the United States.

In addition, the authority has also found out that MS Office applications collect around 35,000 types of event data which can be then accessed by at least 30 teams. For Windows 10, this figure stands at 1,200 types of event data with at least 10 teams accessing it on a regular basis.

Instagram reveals passwords in plaintext

Although accidentally, this bug showing passwords of users in plaintext in browser URLs only affected a few users. In order to be compliant with the GDPR requirements, Instagram had launched a feature for users to download their data in April 2018.[2] This feature enabled the users to download their photos, videos, comments, etc. This bug came into play when a user pressed the Enter key instead of clicking the Request Download button on Download Your Data page.

This incident might not be an issue for a user accessing his Instagram account on his personal device or unshared computers. However, for shared computers, accessing browsing history or simple shoulder surfing techniques can lead to unauthorized access into a user’s account by an unwanted third party.

As a matter of general practice, passwords are transmitted and stored in hashes while the same is not true for the URLs. HTTPS encrypts URLs during the transmission but after they reach their destination, they are converted into plain text – just like as we see in our browser. The URL requests are also logged for analysing user behaviour among the other applications. An Instagram spokesperson has confirmed the incident and stated that they are in process of deleting any such passwords which may have been stored in its log data.[3]


[1]https://www.rijksoverheid.nl/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office

[2] https://help.instagram.com/181231772500920

[3]https://www.theinformation.com/articles/new-instagram-bug-raises-security-questions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s