Zoho Writer search bug exposed private documents
A bug surfaced during development of a group-oriented search feature allowed me to view Zoho documents created by other people that were not intentionally shared with me.
Zoho fixed the bug on Sunday, after I reported it, and said its impact was limited. Still, as a user, it made me think twice about putting private documents online.
On Sunday morning, I went up to my Zoho Writer page and searched on "soccer." The results included two of my documents, but also seven others created by people I didn't know.
I reported the incident to a Zoho technology evangelist, who swiftly escalated the issue to the company's engineering team. After a few correspondences, the Zoho team identified the bug and fixed it.
The reason I saw documents that were not shared with me is because Zoho is adding a feature to search on shared documents.
The system had one bug under a specific scenario, according to company engineers. The index had been running only for a few hours, but Zoho stopped it to do another round of quality assurance testing, I was told.
To Zoho's credit, its people apologized and clearly recognized the seriousness of the bug. The problem came up because of a situation that's not likely to come up often. But it does give me pause. Did somebody else stumble upon my documents?
Overall, I enjoy having Web-based documents, even when the product is in beta test version, as Zoho Writer is. But the incident raises questions of privacy and underscores the importance of trust between a consumer and Web service provider.
Martin LaMonica is a senior writer for CNET's Green Tech blog. He started at CNET News in 2002, covering IT and Web development. Before that, he was executive editor at IT publication InfoWorld. E-mail Martin.
