SECURITY
SECURITY
SECURITY
Corporate data stored on Box exposed by employees sharing public links
Security researchers have discovered terabytes of data from over 90 companies exposed by employees sharing publicly available links to Box Inc.’s cloud storage platform.
In an issue detailed today by cybersecurity firm Adversis LLC, the data and documents had all been uploaded to Box Enterprise accounts then shared via links by employees, making them publicly viewable by anyone who has the shared URL. Using shared URLs as their starting point, the security researchers where then could brute-force the links to uncover other links that were also publicly available.
“After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques and using a relatively large wordlist, we discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers,” the researchers said.
Data discovered included passport photos, social security and bank account numbers, high-profile technology prototype and design files, employees lists, financial data, invoices, internal issue trackers, customer lists and archives of years of internal meetings, and IT data, VPN configurations and network diagrams.
The researchers noted that the situation is different from the common cases of Amazon Web Services Inc.’s S3 storage instances being exposed. “On one hand this issue is worse than the S3 bucket issue because finding a company’s Box account is fairly easy, unlike with S3 bucket names which can be long and difficult to guess,” the researchers explained. “On the other hand, employees seem much less likely to store full databases in Box.”
Emphasizing the risk of exposure, in some cases the researchers found that the shared Box links had be indexed by search engines.
According to TechCrunch, some of the companies with exposed data on Box included Apple Inc., the Discovery Inc., Herbalife Nutrition Ltd., Schneider Electric SE and even Box itself.
Adversis informed Box of its discovery Sept. 24. Box responded with public service announcement about securing files Sept. 28. Adversis added that it had published the details only now to allow companies to secure their documents and data.
The potential with Box accounts to expose data to the public still remains, however. Box recommends that administrators configure shared link default access to “people in your company” to reduce accidental creation of public links by users and that users do not create public custom shared links to content that is not intended for public consumption.
Photo: Pxhere
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
