Misconfigured Box accounts lead to leaked sensitive data

Clare Hopping

12 Mar, 2019

Businesses are putting customer and other confidential company data at risk because they’re not properly securing their Box cloud storage accounts, a report by security firm Adversis has revealed.

The problem lies in the way links are shared between Box users. Employees are able to share public links to files in the Box folders, which could be easily intercepted and hacked, or shared with people outside of the organisation.

The “secret” links can be easily discovered using a script that can scan for Box accounts in use on a network, using lists of company names and wildcard searches. The security firm found more than 90 companies with publicly accessible folders, including tech firms that should know better. In fact, Box itself was one of the companies revealed to have publicly accessible data available.

“Initially, we intended to reach out to all the companies affected but we quickly realized that was impossible at this scale,” Adversis said. “A large percentage of the Box customer accounts we tested had thousands of sensitive documents exposed. We alerted a number of companies that had highly sensitive data exposed, reached out directly to Box, and published this write up.”

Even more worrying, some of these links were discoverable by Google and other search engines, meaning they could, theoretically, be indexed in search results.

Some of the data Adversis found to be available to anyone looking for it included personal details, such as passport information, bank account details and passwords, finance data, including invoices and customer details.

Some of the businesses highlighted as not properly securing their Box accounts were Apple, PR firm Edelman, Schneider Electric and TV network Discovery.

“We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing,” Box said in a statement. “In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’.

“We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”