Click For Photo: https://regmedia.co.uk/2019/03/11/shutterstock_ruined_box.jpg
Box enterprise customers may be sharing sensitive corporate data on the open internet by misusing their online storage.
This is according to researchers at vulnerability-hunting biz Adversis, who said they were able to guess URLs that, in turn, allowed them to peek into organizations' sensitive Box-hosted folders in the cloud, including passport photos, social security numbers, and financial records. These URLs had been marked publicly accessible, allowing the Adversis crew to potentially leaf through terabytes of internal data.
Statement - El - Reg - Box - Spokesperson
In a statement to El Reg, a Box spokesperson confirmed: "There were some Box corporate links that were wrongly set to open or public permission. They have all been updated and are no longer available."
The problem, explained Adversis, is that the Box Enterprise service will allow customers to create unique URLs for specific Box-hosted files and folders. Anyone who knows a particular URL can view the file if it is set to public. Unfortunately, in many cases, the URLs end up being extremely easy to guess, and made public.
Companies - Box - Enterprise - Sub-domain - Documents
"Companies using Box Enterprise get their own sub-domain, and documents saved on Box can be shared to anyone with the unique URL. Users can also name the shared link to whatever they choose. Unfortunately, the sub-domain, URL, and folder names are easily brute-forceable. You can see where this is going," Adversis said in its write-up of the issue on Monday.
The URLs take the format https://.app.box.com/v/
, allowing miscreants to guess files and folder names and spy on big businesses.
Thousands - Box - Customer - Sub-domains - Intelligence
"After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques," Team Adversis explained, "and...
Wake Up To Breaking News!