Companies are leaking sensitive files via Box accounts

Leaks discovered at Apple, the Discovery Channel, Herbalife, Schneider Electric, and even Box itself.

Box Box.com

Image: Box

Companies that use Box.com as a cloud-based file hosting and sharing system might be accidentally exposing internal files, sensitive documents, or proprietary technology.

The exposure occurs due to human error, said Adversis, the cyber-security firm which investigated this issue and worked with Box and affected companies to correct it.

The problem lies with Box.com account owners who don't set a default access level of "People in your company" for file/folder sharing links, leaving all newly created links accessible to the public.

If the organization also allows users to customize the link with vanity URLs instead of using random characters, then the links of these files can be guessed using dictionary attacks.

This is what Adversis did last year. The company says it scanned Box.com for accounts belonging to large companies and attempted to guess vanity URLs of files or folders that employees shared in the past.

Its efforts weren't in vain. In a report published today, Adversis said it found a trove of highly sensitive data such as:

  • Hundreds of passport photos 
  • Social Security and Bank account numbers 
  • High profile technology prototype and design files 
  • Employees lists 
  • Financial data, invoices, internal issue trackers 
  • Customer lists and archives of years of internal meetings 
  • IT data, VPN configurations, network diagrams

TechCrunch, which was privy to some of the Adversis' research findings, said that some of the companies which exposed internal files included the likes of Apple, the Discovery Channel, Herbalife, Schneider Electric, and even Box itself.

Most of these file leaks have been fixed, and Box notified all customers last September of the dangers of using incorrect access permissions for Box.com share links.

ZDNet reached out to Box earlier today and asked about the tools and features that companies have at their disposal to inspect their portfolio of publicly accessible links.

"We provide admins tools to run various reports on open links across their enterprise, as well as to disable open and custom URLs for their enterprise," a Box spokesperson told us via email. "Admins can also ensure that 'People in the Company' is the default setting for all shared links to limit the potential for a user to set a [file] as public inadvertently."

We also asked if Box saw a decline in the number of share links that are set with public access since September last year after the company sent out its security alert.

"We don't proactively scan our customers' deployments, but if customers need assistance or need to examine a specific issue we will work with them to examine their links and identify any potential issues," the Box spokesperson said.

Box.com account owners are advised to review their account settings and use the tools that Box described in a blog post today to see how many publicly accessible links employees have created in the past.

Some of these public Box URLs may host unimportant files, but some might host proprietary technology that employees might have accidentally placed inside a publicly accessible link that uses a vanity URL.

Security researcher Robbie Wiggins told ZDNet in a Twitter conversation today that he expects scans for public Box URLs to explode in the coming days.

He based his statement on the fact that Adversis also open-sourced the tool they used last year. This tool is now on GitHub and available to everyone.

Wiggins, who ran the tool for a few hours earlier today, says he identified over 2,900 companies with Box accounts but didn't find any files left open to the public just yet.

These scans are bound to take a lot of time. By default, all new Box share links are generated using random characters, and users need to modify the URL with vanity terms on purpose. This means that even if a company has a large number of publicly accessible Box-hosted files and folders, not all of them would have vanity URLs --and be easy to find with the Adversis scan tool.

It will be like looking for a needle in a haystack, but if these inadvertently exposed files contain highly sensitive documents, then hackers are bound for a big payday, and bug hunters are in line for a big reward from the company that leaked the files in the first place.

A spokesperson for Bugcrowd, a bug bounty platform, wasn't able to tell ZDNet how many bug reports have been submitted in the past detailing data leaks caused by Box accounts. However, this doesn't mean company's aren't willing to pay researchers who find any.

"Bugcrowd has seen numerous privacy- and security-related incidents associated with file sharing misconfigurations throughout the past four years," Jason Haddix, VP of Researcher Growth, Bugcrowd, told ZDNet via email.

"Our responsible program owners usually accept these incidents and reward them through bug bounty programs. Security teams then use these incidents as an opportunity to strengthen their file-sharing permission settings and policies."

More data breach coverage: