Sensitive data from large companies leaked through Box accounts

Companies that use Box as a cloud-based file hosting and sharing system may accidentally leak their internal files, sensitive documents or proprietary technology. That discovered security company Adversis, which worked with Box and affected companies to fix the errors.

The leaks are the result of a human error, reports ZDNet. The problem occurs with accounts that do not set the access level “People in your company” by default to create part links for files or folders. All created links are therefore accessible to everyone.

Let the organization users also modify a link to make it more beautiful, then links to the files can be guessed with dictionary attacks. That’s what Adversis did last year. The company argues that it scanned Box for accounts owned by large companies and tried to guess the URLs of files or folders that were previously shared by employees.

Adversis says that this also succeeded, and has come across various forms of sensitive data. These include hundreds of passport photos, citizen service numbers, employee lists, prototypes and designs of technology and VPN configurations. Some of the internal files turned out to be from Apple, Discovery Channel, Herbalife, Schneider Electric and even Box itself.

Leaky poem

By now, most of the leaks have been closed. In addition, last September Box informed all its customers of the danger of using the wrong access permissions for shared links from Box. Box account owners are advised to review their account settings and use the tools described by Box in a blog post to see how many publicly accessible URLs employees have created in the past.

It is not known whether fewer public URLs have been created since the September alert. “We don’t proactively scan our customers’ deployments,” says a company spokesperson. “But when customers need help or need to look at a specific problem, we work with them to look at their links and identify potential problems.