1 min read

Misconfigured Enterprise Box accounts leak terabytes of sensitive internal data

Filip TRUȚĂ

March 12, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Misconfigured Enterprise Box accounts leak terabytes of sensitive internal data

Pen-testing experts have made a worrisome discovery regarding the popular cloud storage service Box, specifically the Enterprise version used by some of the world”s biggest companies.

Following up on a warning issued by infosec geeks earlier last year that failed to gain traction, Adversis researchers discovered a lot of sensitive data belonging to major companies and corporations stored in publicly accessible “buckets.”

During testing, they found that links to sensitive internal files can be determined by brute forcing them (i.e. guessing them), resulting in the exposure of terabytes of sensitive data. This data included passport photos, Social Security and bank account numbers, prototypes and design files, employee lists, financial data, invoices, internal issue trackers, customer lists, archives of years of internal meetings, IT data, VPN configurations, network diagrams, and more.

This is not a bug, the team notes, but rather a misuse of the shared folders functionality. Before going online with their findings, the researchers gave a heads up to a number of companies that had “highly sensitive data exposed.” They also reached out directly to Box. The latter soon updated its “shared links” documentation to clarify what companies need to do to keep their Box shared files and folders secure:

“Creating public custom shared links for any content may result in anyone who can guess the URL gaining access to that content. To reduce risk to sensitive content, we recommend that:

  • Administrators configure Shared Link default access to ‘People in your company’ to reduce accidental creation of public (open) links by users.
  • Administrators regularly run a shared link report (as described here) to find and manage public custom shared links.
  • Users do not create public (open) custom shared links to content that is not intended for public consumption”

According to TechCrunch, among the companies with internal data exposed through misconfigured Box buckets are flight-reservation service Amadeus, television network Discovery, nutrition giant Herbalife, PR firm Edelman, medical insurer PointCare, and even Apple and Box themselves.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chrome 96 Gets 22 More Security Fixes with New Incremental Update Chrome 96 Gets 22 More Security Fixes with New Incremental Update
Filip TRUȚĂ

December 08, 2021

1 min read
Most Employees Believe Passwords Affect Their Productivity, Research Finds Most Employees Believe Passwords Affect Their Productivity, Research Finds
Silviu STAHIE

December 06, 2021

1 min read
US State Department iPhones Infected with Pegasus Spyware – Report US State Department iPhones Infected with Pegasus Spyware – Report
Filip TRUȚĂ

December 06, 2021

2 min read