Box denies flaw allowed user data to be leaked, but increases precautions
Box is at the centre of a privacy issue after a security researcher discovered confidential user documents and data using generic search engines.
The cloud collaboration specialist confirmed it has changed how it handles publicly shared accounts and folders, but denied a flaw with its systems was to blame, and it said it has now added extra precautions to safeguard user data.
The Box.com data issue was reportedly discovered by Markus Neis, threat intelligence manager for Swisscom, according to Threatpost.
According to Neis, the problem arose because of the way Box handles shared cloud storage accounts. He alleged that could have allowed attackers to access sensitive data stored on “Collaborative” Box accounts managed by businesses and individuals.
Companies such as Dell Technologies, Discovery Communications and biotech firm Illumina, as well as individual accounts, were said to have been affected.
There is no word on the precise numbers involved (although the numbers are said to be relatively small).
The issue seems to have arisen after Neis discovered he could find official invites to more than 10,000 public collaborative Box accounts or documents, just by using Google, Bing and other search engines.
Neis said many of the accounts contained benign data, however other Box accounts contained documents labelled “confidential” and included sensitive financial and proprietary data owners did not intend to share publicly.
“From an attacker’s perspective this is great,” Neis was quoted as saying. “As well gaining access to sensitive information this opens the door to social engineering attacks.”
So what exactly caused the data breach?
Well, according to Neis, the problem is related to the way Box allows Collaborative account holders to invite outside participants to gain access to shared files and folders.
It seem that when an outside participant was invited to access or “collaborate” with a Box cloud storage account, an invite URL was generated. This URL leads to an automatically generated Box.com landing page, which in some some cases was being indexed by Google, Bing and other search engines.
“There was a huge number of invite links that got indexed because people were posting these links online,” he is quoted as saying. “There were also a lot of links found without being able to find references where these links were coming from.”
But Box said the issue had arisen due to a feature, rather than a flaw, and told Silicon UK that extra safeguards had been taken.
“Secure content sharing is core to Box,” Box told Silicon . “Because every user and customer have different sharing needs, we provide many options to make it easy to share content with settings that are as open or as restrictive as needed. We’ve invested a lot in our security model around shared links and continue to explore ways to to mitigate any potential issues.”
It seems that Box has made changes to the settings for open collaboration invites and links, including taking extra precautions to ensure no collaboration links are indexed by Google.
Silicon understands that Box has contacted Google and other search engines to remove any public collaboration invitation links from their index, and has proactively disabled those public links that were indexed.
It has also changed its collaboration invite pages to ensure that they will not be indexed by Google search engines in the future, and has changed the default settings on folders to require folder owners to turn on the collaboration invitation feature to ensure collaboration links aren’t generated inadvertently.
How much do you know about the cloud? Try our quiz!