Adversis a cyber-security firm claiming it has discovered that Box Customers were leaking corporate data belonging to 90+ companies. It is a data management service similar to OneDrive and Google Drive, used by several big companies like Amadeus, Apple, Discovery, and more.
The exposure is due to easy guessing or forcing of Box account shared document URLs, and is not a bug. The companies are not aware that they were leaking sensitive corporate and other customer information when public links to files shared. Box accounts and enterprise accounts are private by default. The files can be shared with anyone by the users. If users successfully guess the URL, which often contains sensitive data, they can access it by guessing.
The TechCrunch report says, “Although data stored in Box enterprise accounts are private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said others could discover these secret links. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.”
Box spokesperson Denis Roy told the publication, “We take our customers’ security seriously, and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared a link to the public or ‘open.’ We are taking steps to make these settings more clean and bright, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”