Pen-testing experts have made a worrisome discovery regarding the popular cloud storage service Box, specifically the Enterprise version used by some of the world’s biggest companies.
Following up on a warning issued by infosec geeks earlier last year that failed to gain traction, Adversis researchers discovered a lot of sensitive data belonging to major companies and corporations stored in publicly accessible “buckets.”
During testing, they found that links to sensitive internal files can be determined by brute forcing them (i.e. guessing them), resulting in the exposure of terabytes of sensitive data. This data included passport photos, Social Security and bank account numbers, prototypes and design files, employee lists, financial data, invoices, internal issue trackers, customer lists, archives of years of internal meetings, IT data, VPN configurations, network diagrams, and more.
This is not a bug, the team notes, but rather a misuse of the shared folders functionality. Before going online with their findings, the researchers gave a heads up to a number of companies that had “highly sensitive data exposed.” They also reached out directly to Box. The latter soon updated its “shared links” documentation to clarify what companies need to do to keep their Box shared files and folders secure:
“Creating public custom shared links for any content may result in anyone who can guess the URL gaining access to that content. To reduce risk to sensitive content, we recommend that:
- Administrators configure Shared Link default access to ‘People in your company’ to reduce accidental creation of public (open) links by users.
- Administrators regularly run a shared link report (as described here) to find and manage public custom shared links.
- Users do not create public (open) custom shared links to content that is not intended for public consumption”
According to TechCrunch, among the companies with internal data exposed through misconfigured Box buckets are flight-reservation service Amadeus, television network Discovery, nutrition giant Herbalife, PR firm Edelman, medical insurer PointCare, and even Apple and Box themselves.