Box Users Are Unwittingly Exposing Hundreds Of Thousands Of Documents From Over 90 Companies
As has been warned in the past, if your company uses Box to share files and is employing a custom domain, you might be exposing confidential data. That is not because of a bug or vulnerability in Box. Instead, it's due to improperly configured settings that could allow a snoop to find your files.
Security firm Adversis said it was able to identify thousands of Box customer sub-domains through standard intelligence gathering techniques, and via brute force using a relatively large word list. This led to the discovery of hundreds of thousands documents adding up to several terabytes of data.
"Companies using Box Enterprise get their own sub-domain, and documents saved on Box can be shared to anyone with the unique URL. Users can also name the shared link to whatever they choose. Unfortunately, the sub-domain, URL, and folder names are easily brute-forceable," Adversis says.
What the security firm found was not just benign data, either. It was able to view hundreds of passport photos, social security and bank account numbers, employee and customer lists, high profile technology prototype and design files, financial data, VPN configurations, and more.
Data stored in Box Enterprise accounts are private by default, but users can make files and folders publicly accessible with a single link (called a shared link), which can then be shared out with others. While the link is secret, it's not difficult for a hacker to discover them. Some of the public folders even get scraped by search engines, making it all the more easy to find data that is assumed to be somewhat private.
"We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links," Box spokesperson Denis Roy told TechCrunch.
Box also points out there are different access controls companies can use, depending on what type of content they are dealing with:
- People with the link (public/open)—Anyone with the link can access the item and no Box account is required
- People in your company—Users within your same Box enterprise and users who have a Box account with the same email domain will be able to access content
- People in this folder/file—Only users who have been invited to the item (folder or file) can access the content
Companies also can (and should) enable security controls, such as password protection and expiration policies on shared links.