For HomeFor BusinessFor Partners
Industry News
1 min read

Misconfigured Enterprise Box accounts leak terabytes of sensitive internal data

Filip TRUȚĂ

March 12, 2019

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Misconfigured Enterprise Box accounts leak terabytes of sensitive internal data

Pen-testing experts have made a worrisome discovery regarding the popular cloud storage service Box, specifically the Enterprise version used by some of the world”s biggest companies.

Following up on a warning issued by infosec geeks earlier last year that failed to gain traction, Adversis researchers discovered a lot of sensitive data belonging to major companies and corporations stored in publicly accessible “buckets.”

During testing, they found that links to sensitive internal files can be determined by brute forcing them (i.e. guessing them), resulting in the exposure of terabytes of sensitive data. This data included passport photos, Social Security and bank account numbers, prototypes and design files, employee lists, financial data, invoices, internal issue trackers, customer lists, archives of years of internal meetings, IT data, VPN configurations, network diagrams, and more.

This is not a bug, the team notes, but rather a misuse of the shared folders functionality. Before going online with their findings, the researchers gave a heads up to a number of companies that had “highly sensitive data exposed.” They also reached out directly to Box. The latter soon updated its “shared links” documentation to clarify what companies need to do to keep their Box shared files and folders secure:

“Creating public custom shared links for any content may result in anyone who can guess the URL gaining access to that content. To reduce risk to sensitive content, we recommend that:

  • Administrators configure Shared Link default access to ‘People in your company’ to reduce accidental creation of public (open) links by users.
  • Administrators regularly run a shared link report (as described here) to find and manage public custom shared links.
  • Users do not create public (open) custom shared links to content that is not intended for public consumption”

According to TechCrunch, among the companies with internal data exposed through misconfigured Box buckets are flight-reservation service Amadeus, television network Discovery, nutrition giant Herbalife, PR firm Edelman, medical insurer PointCare, and even Apple and Box themselves.

tags

Industry News

Author

Filip TRUȚĂ

Filip TRUȚĂ

Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.

View all posts

Right now Top posts

Your Device ‘Fingerprint’ Will Go to Advertisers Starting February 2025
Industry News Digital Privacy

Your Device ‘Fingerprint’ Will Go to Advertisers Starting February 2025

December 24, 2024

3 min read
Beware of Scam Emails Seeking Donations for UNICEF or Other Humanitarian Groups
Scam Digital Privacy

Beware of Scam Emails Seeking Donations for UNICEF or Other Humanitarian Groups

December 19, 2024

3 min read
How to Spot a Voice Cloning Scam
Scam How to Tips and Tricks

How to Spot a Voice Cloning Scam

December 16, 2024

6 min read
Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware
Threats The Safe Nomad

Torrents with Pirated TV Shows Used to Push Lumma Stealer Malware

November 14, 2024

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

Cybersecurity Grand Prix: VPNs and a 1-2 Race Finish
Cybersecurity Grand Prix

Cybersecurity Grand Prix: VPNs and a 1-2 Race Finish
Bitdefender

December 11, 2024

3 min read
Holiday Shopping and the Dark Market Parallel
Tips and Tricks

Holiday Shopping and the Dark Market Parallel
Bitdefender

December 04, 2024

4 min read
Track Guide to Las Vegas: Cybersecurity Edition
Cybersecurity Grand Prix

Track Guide to Las Vegas: Cybersecurity Edition
Bitdefender

November 19, 2024

3 min read

Bookmarks

loader