Box Sync for Mac has been updated to address a security issue that exposed sensitive internal information, a researcher reported over the weekend.
Pepijn Bruienne, a Mac development and operation specialist senior at the University of Michigan, analyzed the Mac version of the popular desktop sync application to see if he could control its auto-update feature. While browsing through the application’s files, he discovered some Python files containing sensitive data such as API keys, internal user IDs, passwords, and URLs.
“This is probably not a good thing. Since bots exist that scan Github and other public version control services for unintentionally checked in API keys and secrets, Box probably didn’t mean to expose all this information in the Box Sync application,” Bruienne explained in a blog post.
The researcher highlighted that he had not attempted to use any of the information he found to gain access to Box systems.
“There is no way of knowing who else has been aware of the exposed information before me and whether or not it may have been used to access Box customer data. This is especially important in environments that use a managed software update workflow which may be holding back automatic updates until specific action is taken by an admin,” the expert noted.
Representatives of the file sharing and cloud content management services provider have clarified that customer data was never at risk and that there is no evidence to suggest unauthorized use of the exposed credentials.
“On January 12, a security researcher notified us of an issue in Box Sync where internal credentials were exposed that would have granted access to our public software distribution points. We remediated the issue within 24 hours by deactivating the credentials,” Box told SecurityWeek via email.
“At no time was customer data at risk. It’s important to note these credentials aided access to already public resources. In addition, we examined our logs and verified there was no unauthorized use of these credentials, and have issued an update to Box Sync to completely remove the deactivated credentials in order to reduce confusion and potential risk in the future,” the company added.
The security issue was fixed with the release of Box Sync for Mac version 4.0.6035.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Siemens License Manager Vulnerabilities Allow ICS Hacking
- CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
Latest News
- Minister: Cybercrimes Now 20% of Spain’s Registered Offenses
- Skybox Security Raises $50M, Hires New CEO
- Spies, Hackers, Informants: How China Snoops on the US
- Australian Man Sentenced for Scam Related to Optus Hack
- Chrome 110 Patches 15 Vulnerabilities
- Application Security Protection for the Masses
- Tor Network Under DDoS Pressure for 7 Months
- Siemens License Manager Vulnerabilities Allow ICS Hacking
