Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Box Enterprise Shared Links Leak Sensitive Information

Box enterprise shared links can leak sensitive information if access to them hasn’t been restricted to relevant users only, Adversis security researchers warn.

Box enterprise shared links can leak sensitive information if access to them hasn’t been restricted to relevant users only, Adversis security researchers warn.

All companies using Box enterprise cloud storage get their own sub-domain, and the service also allows for the easy sharing of documents stored on Box, via unique URLs. However, it is rather trivial to brute-force the sub-domain, shared URL, and folder names, the researchers discovered. 

The issue isn’t new and has been reported on in the past, but remains a problem, at least if access isn’t configured properly. Access to Box Shared Links can be set to anyone with the link, users within a Box enterprise or with accounts on the sub-domain, or only to the users who have been invited to a folder/file.

Without properly configured access, tons of sensitive information could be exposed to the Internet, and this is exactly what Adversis has discovered. 

“After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques and using a relatively large wordlist, we discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers,” the researchers say.

While most of the data was public, some of it included sensitive information such as passport photos, social security and bank account numbers, high profile technology prototype and design files, employee lists, financial data, invoices, internal issue trackers, customer lists and archives of years of internal meetings, and IT data, VPN configurations, and network diagrams.

The researchers say that the sheer number of impacted companies made it impossible to notify all of them. However, with some organizations having thousands of sensitive documents accessible to anyone, Adversis notified only those with highly sensitive data exposed. 

Box too was made aware of the issue, and the company updated its guidelines to underline the fact that Custom Shared Links could expose sensitive information, given that anyone able to guess the URL could access the content. 

To reduce the accidental creation of public links, Box recommends restricting Shared Link access to users within the company, keeping constant track of public custom shared links, and avoiding to create public custom shared links to content not intended for public consumption.

The security researchers also published on GitHub code that makes it easy to find the Box accounts of organizations and start scanning for exposed content. 

Related: Thousands of Mobile Apps Leak Data from Firebase Databases

Related: China Arrests Suspect for Customer Data Leak at Accor Partner

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...