Box.com has changed the way it handles publicly shared accounts and folders after a researcher found confidential documents and data belonging to Box.com users via Google, Bing and other search engines. While Box.com maintains this is a case of its customers unintentionally over-sharing, it says it has “fixed” the issue.
The problem stems from what Markus Neis, threat intelligence manager for Swisscom, calls a flaw in the way Box.com handles shared cloud storage accounts. Last week, he disclosed that a simple search engine query could expose confidential files of businesses and individuals to anyone on the Internet. Attackers exploiting this issue, he said, could have accessed sensitive data stored on “Collaborative” Box.com accounts managed by businesses and organizations such as Dell Technologies, Discovery Communications, biotech firm Illumina as well as accounts owned by individuals.
Using Google, Bing and other search engines, Neis discovered that he was able to find official invites to more than 10,000 public collaborative Box.com accounts or documents. Neis said many of the accounts contained benign data, however other Box.com accounts contained files and documents labeled “confidential” and included sensitive financial and proprietary company data owners did not intend to share publicly.
“From an attacker’s perspective this is great,” Neis said. “As well gaining access to sensitive information this opens the door to social engineering attacks. Attackers can upload their own malware into a (Box.com) project, identify employee phishing targets by email addresses and simply host malware and share the link (as you can invite people). All of a sudden, your company’s Box.com account is well known for distributing malware.”
According to Neis, the problem is related to the way Box.com allows account holders to invite outside participants to gain access to shared files and folders. When an outside participant was invited to access or “collaborate” with a Box.com cloud storage account, an invite URL was generated. That URL could have been used by anyone to access the shared folder. The problem is tied to the fact Box.com automatically generates a landing page for the URL that in some cases was being indexed by Google, Bing and other search engines, Neis said.
“There was a huge number of invite links that got indexed because people were posting these links online,” he said. “There were also a lot of links found without being able to find references where these links were coming from.”
By default the Collaboration links were generated with Editor permissions granting visitors the ability to view, download, upload, edit and rename files.
Box.com maintains that Collaboration links indexed by search engines were each at one point explicitly shared by Box.com account holders on third-party websites.
“We have contacted Google to remove these public links from their index. This should be fully completed shortly,” according to Box.com. “We have restructured all of these pages to ensure our public collaboration invite links are not indexed by Google going forward.”
Box.com added, “We will continue to assess the permissions model of shared links and ensure that this feature is as usable as possible so we can provide the best security possible to our customers.” Box.com said that its collaboration invite feature is used by many of its customers in public use-cases such as accepting content submissions from a customer’s website and research submissions.
Box.com said that the total number of accounts with Collaborative links exposed to search engines was relatively small.
Threatpost contacted a number of companies publicly sharing documents named “confidential” and “private.” One of those companies was Dell Technologies which was sharing a large cache of sensitive channel partner data labeled as “confidential.”
“A limited set of Dell information was inadvertently and temporarily visible to a broader group of viewers than intended. The issue has been resolved,” wrote Dell Technologies in a prepared statement.
Entertainment company Discovery Communications had dozens of documents and files available to the public related to various video projects. After being contacted by Threatpost, publicly available documents were suddenly inaccessible. Discovery Communications declined to comment.
Biotech firm Illumina, which was sharing nearly two dozen grant proposals, did not return requests for comment for this report.
A further review of Box.com links to Collaborative accounts revealed thousands of files or folders intentionally publicly shared and linked to from public websites. Box.com offers a number of different sharing options for files and folders hosted on its cloud storage service.
“What percentage of those Box.com account intended to share documents and folders, we may never know. But this type of access to data undermines a lot of the meaningful data protection measures Box.com has in place to protect its customers,” Neis said.
