Companies that use Box for sharing files and folders inside and outside the company are inadvertently leaving sensitive corporate and customer data exposed, cybersecurity firm Adversis warns.
Their own research discovered much non-sensitive data but also database dumps of customer information, developer project files, tax documents, resumes, donor names and amounts given, insurance information, Social Security numbers, bank account numbers, design files, IT data, network diagrams, and more.
How does this happen?
“Companies using Box Enterprise get their own sub-domain, and documents saved on Box can be shared to anyone with the unique URL. Users can also name the shared link to whatever they choose. Unfortunately, the sub-domain, URL, and folder names are easily brute-forceable,” the company’s researchers explained.
The main sources of the data-leaking problem are:
- Individual users forgetting that public/open custom links are accessible by anyone who has the link and that these links can be shared on and even guessed. (All new Box share links are generated using random characters, but they can be customized to be more memorable and, therefore, more easily guessed through dictionary attacks.)
- Administrators of Box enterprise storage accounts not configuring Shared Link default access to “People in your company”. Such a set-up would reduce accidental creation of public/open links by individual users within the company.
The extent of the problem
Adversis has created (and open-sourced) Pandora’s Box, a script to find Enterprise Box accounts and enumerate for shared files and folders, and used it to check how easy it would be for potential attackers to discover sensitive information shared by company employees.
The result? They identified thousands of Box customer sub-domains and hundreds of thousands of documents and terabytes of data exposed across hundreds of customers.
“Initially, we intended to reach out to all the companies affected but we quickly realized that was impossible at this scale,” the researchers noted. They alerted a number of companies that had highly sensitive data exposed and reached out directly to Box.
Box sent out a notification to all customers, warning about the risks that come with an incorrect configuration of Shared Link access. The company also told ZDNet that they offer a tool that allow admins to disable open and custom URLs for their enterprise.
What to do?
Technically, this is not a bug, but it’s definitely a vulnerability.
“The issue could be compared to AWS S3 buckets publicly hosting any manner of documents. Not all are sensitive, but often times they are,” the researchers noted.
“On one hand this issue is worse than the S3 bucket issue because finding a company’s Box account is fairly easy, unlike with S3 bucket names which can be long and difficult to guess. On the other hand, employees seem much less likely to store full databases in Box.”
With the Pandora’s Box tool made available for anyone to use, you can be sure that a certain number of attackers will take the time to scan for publicly accessible Box-hosted files and folders.
So, if your company uses Box, you might want to check whether you are leaking sensitive data, remedy the situation and put protections in place to prevent it from happening again.