Confidential Apple Files Exposed to the Public in an Incorrectly Configured Box Account

By Malcolm Owen
Monday, March 11, 2019, at 7:54 am, Pacific Time (10:54 am, Eastern Time)

A poor study of the cloud storage service left sensitive data in the sight of unauthorized users, discovered security researchers, Apple and other renowned companies inadvertently left files and folders accessible to the public.

Cloud storage services emphasize the security and the ability to easily share data with other users or with the public, but the use of such services usually accompanies d & # 39; an offense risk of cybercriminals, what companies strive to prevent. Nevertheless, a flaw is not necessarily necessary for unwanted data to access the data, as it can sometimes simply behave in a poor configuration.

Researchers at the Adversis cybersecurity company have discovered that many important Box Enterprise customers are risking their data by leveraging the sharing features of the service, reports the report. TechCrunch. When looking for the problem, it was found that hundreds of thousands of documents and terabytes of data were accessible from the storage of hundreds of Box's customers.

The problem was how files could be shared by links on custom domains. Once a link was found, researchers were able to discover other secret links on a subdomain by brute force.

According to Adversis, Box advised account administrators to set up default access to shared links to "people in your business" to minimize public exposure. Running a regular report on shared links would help uncover active links that might be disabled over time, and recommend users not to create custom public shared links to "non-targeted" content. to public use ".

The data discovered by the company include passport photos, bank account numbers, social security numbers, passwords, employee lists and various financial data and customers. In the case of Apple, several folders containing "non-sensitive internal data," such as log files and price lists, were exposed.

The other companies identified are Amadeus, Discovery, Herbalife, Edelman, Pointcare and Box. Since the report of the problem, all identified companies have reconfigured their business accounts.