{"id":38126,"date":"2019-03-12T08:18:04","date_gmt":"2019-03-12T08:18:04","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=c1f2a836d5d8b9879e1268ec505d7dbc"},"modified":"2019-03-12T08:18:04","modified_gmt":"2019-03-12T08:18:04","slug":"misconfigured-box-accounts-lead-to-leaked-sensitive-data","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/misconfigured-box-accounts-lead-to-leaked-sensitive-data\/","title":{"rendered":"Misconfigured Box accounts lead to leaked sensitive data"},"content":{"rendered":"<p><span class=\"field field-name-field-author field-type-node-reference field-label-hidden\"><br \/>\n      <span class=\"field-item even\"><a href=\"https:\/\/www.cloudpro.co.uk\/authors\/clare-hopping\">Clare Hopping<\/a><\/span><br \/>\n  <\/span><\/p>\n<div class=\"field field-name-field-published-date field-type-datetime field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\"><span class=\"date-display-single\">12 Mar, 2019<\/span><\/div>\n<\/p><\/div>\n<\/div>\n<p class=\"short-teaser\">\n<a href=\"https:\/\/www.cloudpro.co.uk\/\" title=\"\" class=\"combined-link\"><\/a><\/p>\n<div class=\"field field-name-body\">\n<p> Businesses are putting customer and other confidential company data at risk because they\u2019re not properly securing their Box cloud storage accounts, a report by security firm Adversis has revealed.<\/p>\n<p>The problem lies in the way links are shared between Box users. Employees are able to share public links to files in the Box folders, which could be easily intercepted and hacked, or shared with people outside of the organisation.<\/p>\n<p>The \u201csecret\u201d links can be easily discovered using a script that can scan for Box accounts in use on a network, using lists of company names and wildcard searches. The security firm found more than 90 companies with publicly accessible folders, including tech firms that should know better. In fact, Box itself was one of the companies revealed to have publicly accessible data available.<\/p>\n<p>\u201cInitially, we intended to reach out to all the companies affected but we quickly realized that was impossible at this scale,\u201d Adversis said. \u201cA large percentage of the Box customer accounts we tested had thousands of sensitive documents exposed. We alerted a number of companies that had highly sensitive data exposed, reached out directly to Box, and published this write up.\u201d<\/p>\n<p>Even more worrying, some of these links were discoverable by Google and other search engines, meaning they could, theoretically, be indexed in search results.<\/p>\n<p>Some of the data Adversis found to be available to anyone looking for it included personal details, such as passport information, bank account details and passwords, finance data, including invoices and customer details.<\/p>\n<p>Some of the businesses highlighted as not properly securing their Box accounts were Apple, PR firm Edelman, Schneider Electric and TV network Discovery.<\/p>\n<p>\u201cWe take our customers\u2019 security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing,\u201d Box said in a statement. \u201cIn some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or \u2018open\u2019.<\/p>\n<p>\u201cWe are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.\u201d <\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>      Clare Hopping<\/p>\n<p>        12 Mar, 2019    <\/p>\n<p>       Businesses are putting customer and other confidential company data at risk because they\u2019re not properly securing their Box cloud storage accounts, a report by security firm Adversis has revea&#8230;<\/p>\n","protected":false},"author":400,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-38126","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/38126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/400"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=38126"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/38126\/revisions"}],"predecessor-version":[{"id":38127,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/38126\/revisions\/38127"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=38126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=38126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=38126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}