Box Sync for Mac has been updated to address a security issue that exposed sensitive internal information, a researcher reported over the weekend.
Pepijn Bruienne, a Mac development and operation specialist senior at the University of Michigan, analyzed the Mac version of the popular desktop sync application to see if he could control its auto-update feature. While browsing through the application’s files, he discovered some Python files containing sensitive data such as API keys, internal user IDs, passwords, and URLs.
“This is probably not a good thing. Since bots exist that scan Github and other public version control services for unintentionally checked in API keys and secrets, Box probably didn’t mean to expose all this information in the Box Sync application,” Bruienne explained in a blog post.
The researcher highlighted that he had not attempted to use any of the information he found to gain access to Box systems.
“There is no way of knowing who else has been aware of the exposed information before me and whether or not it may have been used to access Box customer data. This is especially important in environments that use a managed software update workflow which may be holding back automatic updates until specific action is taken by an admin,” the expert noted.
Representatives of the file sharing and cloud content management services provider have clarified that customer data was never at risk and that there is no evidence to suggest unauthorized use of the exposed credentials.
“On January 12, a security researcher notified us of an issue in Box Sync where internal credentials were exposed that would have granted access to our public software distribution points. We remediated the issue within 24 hours by deactivating the credentials,” Box told SecurityWeek via email.
“At no time was customer data at risk. It’s important to note these credentials aided access to already public resources. In addition, we examined our logs and verified there was no unauthorized use of these credentials, and have issued an update to Box Sync to completely remove the deactivated credentials in order to reduce confusion and potential risk in the future,” the company added.
The security issue was fixed with the release of Box Sync for Mac version 4.0.6035.
