CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Box Enterprise Shared Links Leak Sensitive Information

Box enterprise shared links can leak sensitive information if access to them hasn’t been restricted to relevant users only, Adversis security researchers warn.

Box enterprise shared links can leak sensitive information if access to them hasn’t been restricted to relevant users only, Adversis security researchers warn.

All companies using Box enterprise cloud storage get their own sub-domain, and the service also allows for the easy sharing of documents stored on Box, via unique URLs. However, it is rather trivial to brute-force the sub-domain, shared URL, and folder names, the researchers discovered. 

The issue isn’t new and has been reported on in the past, but remains a problem, at least if access isn’t configured properly. Access to Box Shared Links can be set to anyone with the link, users within a Box enterprise or with accounts on the sub-domain, or only to the users who have been invited to a folder/file.

Without properly configured access, tons of sensitive information could be exposed to the Internet, and this is exactly what Adversis has discovered. 

“After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques and using a relatively large wordlist, we discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers,” the researchers say.

While most of the data was public, some of it included sensitive information such as passport photos, social security and bank account numbers, high profile technology prototype and design files, employee lists, financial data, invoices, internal issue trackers, customer lists and archives of years of internal meetings, and IT data, VPN configurations, and network diagrams.

The researchers say that the sheer number of impacted companies made it impossible to notify all of them. However, with some organizations having thousands of sensitive documents accessible to anyone, Adversis notified only those with highly sensitive data exposed. 

Box too was made aware of the issue, and the company updated its guidelines to underline the fact that Custom Shared Links could expose sensitive information, given that anyone able to guess the URL could access the content. 

Advertisement. Scroll to continue reading.

To reduce the accidental creation of public links, Box recommends restricting Shared Link access to users within the company, keeping constant track of public custom shared links, and avoiding to create public custom shared links to content not intended for public consumption.

The security researchers also published on GitHub code that makes it easy to find the Box accounts of organizations and start scanning for exposed content. 

Related: Thousands of Mobile Apps Leak Data from Firebase Databases

Related: China Arrests Suspect for Customer Data Leak at Accor Partner

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.