If your company uses Box for cloud-based file sharing, security researchers are advising you to stop reading right now and immediately disable public file sharing: vanity-named subdomains and URLs are “easily brute-forceable,” leaving companies’ publicly shared data open to extremely easy attacks.
Security firm Adversis published a
report on Monday after using a “relatively large” wordlist to uncover hundreds of Box customers’ subdomains, through which they could access hundreds of thousands of documents and terabytes of extremely sensitive data. A sampling of what the researchers found:
- Hundreds of passport photos
- Social Security and bank account numbers
- High-profile technology prototype and design files
- Lists of employees
- Financial data, invoices, internal issue trackers
- Customer lists and archives of years’ worth of internal meetings
- IT data, VPN configurations, network diagrams
Adversis says its initial impulse was to reach out to all the affected companies, but the scale of the task ruled that out. After finding that a large percentage of Box customer accounts that it tested had thousands of exposed, sensitive documents, the firm alerted some of those companies, gave Box a heads-up – that was on 24 September – and published its report. As Box Chief Customer Officer Jon Herstein
said in a blog post on Sunday, Box offers various ways for its customers to allow content sharing both between employees and outside the company. Data stored in Box enterprise accounts is private by default. But in order to make it easy for its customers to share content with large groups – be it privately or publicly – Box offers the “Custom Shared Link” feature, which enables its customers to customize the default secure shared links so they’re easier to find. Box gives the example of a car company that wants to distribute public press releases for a product launch: you can see where the car company would like the idea of customizing the URL to read something like this: https://<carcompanyname>.app.box.com/v/<pressrelease> This is neither a bug nor a vulnerability, mind you. It’s simply a way to easily make data publicly accessible with a single link. In fact, Adversis noted, it was called out as an easy attack method back in June 2018.
