Dozens of companies using Box inadvertently shared private data (updated)

Apple and more than 90 other companies apparently didn’t understand how Box’s public URLs work.

More than 90 companies inadvertently exposed hundreds of thousands of documents and terabytes of data via Box, a cloud-based file-sharing system. Cybersecurity firm Adversis exposed the potential security concern and says everything from passport photos to social security and bank account numbers, prototype and design files, employee lists, and financial and IT data were revealed.

While data and documents uploaded to Box Enterprise accounts are technically private, users can share access via links, some of which can be made publicly viewable by anyone who happens to have the URL. And Adversis found that some companies have revealed those secret links — some were even been indexed by search engines. Adversis initially planned to reach out to companies individually but quickly realized the scale of the problem went beyond that.

Box released the following statement regarding the report: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or “open.” We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”

It’s important to note that some Box URLs being theoretically accessible by anyone to see isn’t a flaw or mistake in their system. The company notes that it has many different ways to share content — files can be totally private, accessible only to specific users or accessible to anyone who has the URL in question (a public link). Users can also set custom URLs, which is primarily what Adversis’s study refers to.

Box itself specifically says that if a public Box URL is shared somewhere where others can find it, like a website that might be indexed by Google, that content will be accessible. Best security practices call for not sharing those links publicly. The same is doubly true for public Box links with custom URLs — those may be useful for internal sharing but shouldn’t be shared outside a trusted set of people.

To address the concerns raised by situations like Adversis found, Box is taking a number of steps. For starters, the Box admin console is now set to disable public custom shared URLs by default; unless a admin changes that, users won’t be able to share links in that fashion. Additionally, the default privacy setting for shared links is set to “people in your company,” and that default can only be changed by an admin. Finally, Box is also working with companies who use its tools to make sure they know how to audit public and custom URLs in their organization and make them more secure, if necessary.

According to TechCrunch, Apple, the television network Discovery, flight reservation system Amadeus, nutrition company Herbalife and Opportunity International were among the companies whose data was available in public links. It includes everything from customer emails and phone numbers to patient insurance information and public works project details.

Ultimately, the major issue here appears to be a disconnect between how people use Box’s pubic URLs and not so much a security concern. To that end, Box is improving the user education when people use its product to share URLs to make it clear what potential there is for data exposure so that users choose the security level that’s right for them.

Update: 3/11/19 5:25PM ET: This post has been extensively updated to include a statement from Box as well as details about how the company is making it easier for users to understand how its public URLs work and how to properly secure their content. We’ve also updated the headline to reflect the updated story, as this data exposure didn’t come directly from a lack of security on the part of Box.

Share:

Other News

Nothing in this publication should be considered as personalized financial advice. We are not licensed under securities laws to address your particular financial situation. No communication by our employees to you should be deemed as personalized financial advice. Please consult a licensed financial advisor before making any investment decision. This is a paid advertisement and is neither an offer nor recommendation to buy or sell any security. We hold no investment licenses and are thus neither licensed nor qualified to provide investment advice. The content in this report or email is not provided to any individual with a view toward their individual circumstances. Canada News Group is a wholly-owned subsidiary of Market IQ Media Group, Inc.

While all information is believed to be reliable, it is not guaranteed by us to be accurate. Individuals should assume that all information contained in our newsletter is not trustworthy unless verified by their own independent research. Also, because events and circumstances frequently do not occur as expected, there will likely be differences between any predictions and actual results. Always consult a licensed investment professional before making any investment decision. Be extremely careful, investing in securities carries a high degree of risk; you may likely lose some or all of the investment.

Latest Headlines

Subscribe

Join our email list to receive the free market update newsletter

Canada News Group is a financial media company whose focus is to provide readers with financial news and content on the latest trends and happenings in the financial world.

error: Content is protected !!