Security Experts:

Connect with us

Hi, what are you looking for?



Box Sync for Mac Exposed Sensitive Information: Researcher

Box Sync for Mac has been updated to address a security issue that exposed sensitive internal information, a researcher reported over the weekend.

Box Sync for Mac has been updated to address a security issue that exposed sensitive internal information, a researcher reported over the weekend.

Pepijn Bruienne, a Mac development and operation specialist senior at the University of Michigan, analyzed the Mac version of the popular desktop sync application to see if he could control its auto-update feature. While browsing through the application’s files, he discovered some Python files containing sensitive data such as API keys, internal user IDs, passwords, and URLs.

“This is probably not a good thing. Since bots exist that scan Github and other public version control services for unintentionally checked in API keys and secrets, Box probably didn’t mean to expose all this information in the Box Sync application,” Bruienne explained in a blog post.

The researcher highlighted that he had not attempted to use any of the information he found to gain access to Box systems.

“There is no way of knowing who else has been aware of the exposed information before me and whether or not it may have been used to access Box customer data. This is especially important in environments that use a managed software update workflow which may be holding back automatic updates until specific action is taken by an admin,” the expert noted.

Representatives of the file sharing and cloud content management services provider have clarified that customer data was never at risk and that there is no evidence to suggest unauthorized use of the exposed credentials.

“On January 12, a security researcher notified us of an issue in Box Sync where internal credentials were exposed that would have granted access to our public software distribution points. We remediated the issue within 24 hours by deactivating the credentials,” Box told SecurityWeek via email.

“At no time was customer data at risk. It’s important to note these credentials aided access to already public resources. In addition, we examined our logs and verified there was no unauthorized use of these credentials, and have issued an update to Box Sync to completely remove the deactivated credentials in order to reduce confusion and potential risk in the future,” the company added.

The security issue was fixed with the release of Box Sync for Mac version 4.0.6035.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.