Apple, Other Box Account Users Exposed Sensitive Corporate Data: Adversis

Share on Facebook Tweet Share Reddit Comment
Apple, Other Box Account Users Exposed Sensitive Corporate Data: Adversis

Adversis says Apple, Edelmen, Amadeus data was exposed through Box

Highlights
  • Adversis stumbled upon large pool of sensitive data shared through Box
  • This is due to easy link creation, leaving hackers to guess them easily
  • Affected companies were advised to change their privacy settings

Cyber-security firm Adversis has published a paper claiming that it discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of Box customers. Box is a cloud-based content management platform, and is used by several big companies like Apple, Discovery, Edelmen, Amadeus, and more. This exposure of private content is due to easy guessing or brute forcing of Box account shared document URLs, and is not a bug or vulnerability. Box has responded saying that it is "taking steps to make privacy settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally."

Adversis says that the data that has been exposed, includes passport photos, social security and bank account numbers, high profile technology prototype and design files, employees lists, financial data, invoices, internal issue trackers, customer lists and archives of years of internal meetings, IT data, VPN configurations, and network diagrams. TechCrunch reports that companies like Amadeus, Apple, TV channel Discovery, Edelman, Herbalife, Schneider Electric, PointCare, and United Tissue Network were a part of a list of known exposed Box accounts. Amadeus, Apple, Box, Discovery, Herbalife, Edelman and PointCare have all reconfigured their enterprise accounts to prevent access to their leaking files.

The issue is mainly due to easy URLs for all the files and folders of a Box account holder. All the links that are public usually can only be accessed by users with whom the link is shared. However, if a user is successful in guessing the URL, they can access it easily, and often these links include sensitive data.

In its post, Adversis writes that Box has been prompt to call out the issue of URL guessing and recommends that administrators configure Shared Link default access to 'People in your company' to reduce accidental creation of public (open) links by users. It also recommends regular scan of shared link report, and advises users to not create public (open) custom shared links to content that is not intended for public consumption. Adversis adds that the possibility of guessing or brute forcing Box account shared document URLs was first pointed out in June last year, but gained little attention.

Box spokesperson Denis Roy told the publication, "We take our customers' security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or 'open'. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links."

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: Adversis, Box, Data Threat, Apple
Tasneem Akolawala When not expelling tech wisdom, Tasneem feeds on good stories that strike on all those emotional chords. She loves road trips, a good laugh, and interesting people. She binges on movies, sitcoms, food, books, and DIY videos. More
Huawei Mate 20 Series Reaches 10 Million Sales in Five Months of Launch
Google Reveals 10 Indian Startups for Latest Launchpad Accelerator Programme
 
 

Advertisement

 

Advertisement