Security researchers have found that hundreds of thousands of documents were unintentionally leaked after multiple companies left sensitive corporate and customer data exposed on their Box enterprise storage accounts. The issue, though, is not a vulnerability but a feature of Box, according to researchers.
“After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques and using a relatively large wordlist, we discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers,” researchers at Adversis wrote in a blog post.
“The issue could be compared to AWS S3 buckets publicly hosting any manner of documents. Not all are sensitive, but often times they are. On one hand this issue is worse than the S3 bucket issue because finding a company's Box account is fairly easy, unlike with S3 bucket names which can be long and difficult to guess. On the other hand, employees seem much less likely to store full databases in Box.”
Information that was easily discoverable because staff were sharing public links to files included passport photos, social security and bank account numbers, intellectual property, employee lists and financial and IT data.
“Permissions on document and file-sharing services are a big risk today. But the issue is not specific to just Box – services like Dropbox, Google Drive and others all share the same inherent risk associated with file sharing,” said Jason Haddix, VP of researcher Growth at Bugcrowd.
“Despite what any company’s security team might say, people are still going to use these services because the collaboration capabilities and ease of use far outweigh any security fears for users.
“To make sharing easier, users often make these files accessible to anyone with the hyperlink. These links then get shared from user to user, eventually traversing other networks and making their way into other documents. Given this life cycle, we’ve seen numerous privacy- and security-related incidents associated with file sharing misconfigurations over the years.”