Cyber-security firm Adversis has published a paper claiming that it discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of Box customers. Box is a cloud-based content management platform, and is used by several big companies like Apple, Discovery, Edelmen, Amadeus, and more. This exposure of private content is due to easy guessing or brute forcing of Box account shared document URLs, and is not a bug or vulnerability. Box has responded saying that it is "taking steps to make privacy settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally."
Adversis says that the data that has been exposed, includes passport photos, social security and bank account numbers, high profile technology prototype and design files, employees lists, financial data, invoices, internal issue trackers, customer lists and archives of years of internal meetings, IT data, VPN configurations, and network diagrams. TechCrunch reports that companies like Amadeus, Apple, TV channel Discovery, Edelman, Herbalife, Schneider Electric, PointCare, and United Tissue Network were a part of a list of known exposed Box accounts. Amadeus, Apple, Box, Discovery, Herbalife, Edelman and PointCare have all reconfigured their enterprise accounts to prevent access to their leaking files.
The issue is mainly due to easy URLs for all the files and folders of a Box account holder. All the links that are public usually can only be accessed by users with whom the link is shared. However, if a user is successful in guessing the URL, they can access it easily, and often these links include sensitive data.
In its post, Adversis writes that Box has been prompt to call out the issue of URL guessing and recommends that administrators configure Shared Link default access to 'People in your company' to reduce accidental creation of public (open) links by users. It also recommends regular scan of shared link report, and advises users to not create public (open) custom shared links to content that is not intended for public consumption. Adversis adds that the possibility of guessing or brute forcing Box account shared document URLs was first pointed out in June last year, but gained little attention.
Box spokesperson Denis Roy told the publication, "We take our customers' security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or 'open'. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links."