- Improper configuration of enterprise accounts in Box is leading to exposure of confidential documents.
- Company subdomains created with Box Enterprise were found to be vulnerable to brute-force attacks.
Box, one of the popular file-sharing platforms, was found leaking sensitive data. As per a report by the security firm Adversis, hundreds of thousands of documents are likely exposed due to improper security configuration in certain enterprise accounts.
What is the issue - Due to improper security configuration, it appears that subdomains created in Box enterprise accounts were accessible to anyone who managed to get the right link. On top of this, these subdomains and URLs could fall prey to brute-force and dictionary attacks.
Adversis reported that, “These can be easily verified by going to https://<companyname>.account.box.com. If the link returns the company's logo, they have a paid account and are probably susceptible.”
What kind of information is exposed - Though Box is not generally used for storing entire databases, enterprise accounts might be used to store many other sensitive documents. The researchers found that the exposed documents can include sensitive details such as:
- Social Security numbers and Bank account numbers
- Passport photos
- Confidential files related to company’s prototypes/design
- Employee lists, Financial data & invoices
- Customer lists and meetings’ archives
- IT data, VPN configurations and network diagrams
How big is the impact - Researchers observed that the number of affected accounts might be too large to directly address which is why they decided to go public with their findings.
“Initially, we intended to reach out to all the companies affected but we quickly realized that was impossible at this scale. A large percentage of the Box customer accounts we tested had thousands of sensitive documents exposed,” Adversis researchers stated in their blog.
How to resolve the issue - Post the incident, Box has recommended users to only share access to documents with people in their network by changing the default access to ‘People in your company’.
Additionally, users are advised to track any create reports surrounding public custom shared links so that they can be monitored easily.