Pen-testing
experts have made a worrisome discovery regarding the popular cloud storage
service Box, specifically the Enterprise version used by some of the world’s biggest
companies.

Following up on a warning issued by infosec geeks earlier last year that failed to gain traction, Adversis researchers discovered a lot of sensitive data belonging to major companies and corporations stored in publicly accessible “buckets.”

During
testing, they found that links to sensitive internal files can be determined by
brute forcing them (i.e. guessing them), resulting in the exposure of terabytes
of sensitive data. This data included passport photos, Social Security and bank
account numbers, prototypes and design files, employee lists, financial data,
invoices, internal issue trackers, customer lists, archives of years of internal
meetings, IT data, VPN configurations, network diagrams, and more.

This is not a bug, the team notes, but rather a misuse of the shared folders functionality. Before going online with their findings, the researchers gave a heads up to a number of companies that had “highly sensitive data exposed.” They also reached out directly to Box. The latter soon updated its “shared links” documentation to clarify what companies need to do to keep their Box shared files and folders secure:

“Creating
public custom shared links for any content may result in anyone who can guess
the URL gaining access to that content. To reduce risk to sensitive content, we
recommend that:

  • Administrators
    configure Shared Link default access to ‘People in your company’ to reduce
    accidental creation of public (open) links by users.
  • Administrators
    regularly run a shared link report (as described here) to find and manage
    public custom shared links.
  • Users do not create
    public (open) custom shared links to content that is not intended for public
    consumption”

According to TechCrunch, among the companies with internal data exposed through misconfigured Box buckets are flight-reservation service Amadeus, television network Discovery, nutrition giant Herbalife, PR firm Edelman, medical insurer PointCare, and even Apple and Box themselves.