Apple is one of a number of high-profile companies which had corporate data exposed through their Box accounts, an enterprise cloud storage service.
In all, cybersecurity firm Adversis found that data from more than 90 companies was exposed …
TechCrunch reports that the issue arose due to a weakness with the public link feature offered by Box.
Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can be easily discovered […]
Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.
Adversis wrote in a blog post that the privacy problem existed on a massive scale.
We discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers.
A sampling of data we found:
- Hundreds of Passport Photos
- Social Security and Bank Account Numbers
- High profile technology prototype and design files
- Employees lists
- Financial data, invoices, internal issue trackers
- Customer lists and archives of years of internal meetings
- IT data, VPN configurations, network diagrams
Essentially all Adversis did was take known domain and sub-domain names for companies with box accounts (http://company.app.box.com/) and then use a dictionary attack to identify valid links.
The security company first reported the issue to Box back in September, and has waited until today to make it public, to give companies time to remove sensitive data.
TechCrunch said that while many companies exposed sensitive data, that did not appear to be the case with Apple – which has since taken steps to protect its information.
Apple had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists […]
Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare all reconfigured their enterprise accounts to prevent access to their leaking files after TechCrunch reached out.
Box said that it is taking action.
Box spokesperson Denis Ron said in a statement: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”
The cloud giant said it plans to reduce the unintended discovery of public files and folders.
Box recommends that customers use access controls, such as limiting availability to those with company email addresses, password-protection and expiration policies.