[ad_1]
Picture: Box
Businesses that use Box.com as a cloud-based hosting and file-sharing system may accidentally expose internal files, sensitive documents, or proprietary technology.
The exposure is due to human error, said Adversis, the cyber security firm that investigated this problem and worked with Box and the companies involved to fix it.
The problem lies in the owners of Box.com accounts that do not set default access level "People in your company" for file / folder share links, thus leaving all newly created links publicly accessible .
If the organization also allows users to customize the link with custom URLs instead of using random characters, the links from these files can be guessed with the help of attacks at the same time. # 39; help of a dictionary.
That's what Adversis did last year. The company said it had scanned Box.com for accounts belonging to large companies and had been trying to guess the custom URLs of files or folders shared by employees in the past.
His efforts have not been in vain. In a report released today, Adversis said it has found a trove of extremely sensitive data such as:
- Hundreds of passport photos
- Social security and bank account numbers
- High tech prototype and design files
- Lists of employees
- Financial data, invoices, follow-up of internal problems
- Lists of clients and records of years of internal meetings
- Computer data, VPN configurations, network schemas
TechCrunch, who was aware of some of Adversis' research findings, said some of the companies that had exposed internal files included Apple, Discovery Channel, Herbalife, Schneider Electric and even Box.
Most of these file leaks were corrected and Box informed all of its customers last September of the dangers associated with the use of incorrect access permissions for Box sharing links. com.
ZDNet contacted Box earlier in the day and asked what tools and features companies had at their disposal to inspect their portfolio of publicly available links.
"We provide administrators with tools to generate various reports on open links in their business, as well as to disable open and customized URLs for their business," said a Box spokesperson via email. "Administrators can also ensure that" People in the Business "is the default setting for all shared links to limit a user's potential to set a [file] as inadvertently public ".
We also asked if Box had noticed a decrease in the number of share links configured with public access since last September after sending its security alert by the company.
"We do not proactively analyze our client deployments, but if clients need help or need to address a specific problem, we will work with them to review their links and identify possible problems, "said Box spokesman.
It is advisable for Box.com account owners to review their account settings and use the tools described in a blog post today by Box to find out how many links have been created by employees in the past.
Some of these public area URLs may host unimportant files, but others may host a proprietary technology that employees have accidentally placed in a publicly accessible link that uses a custom URL.
Security Researcher Robbie Wiggins told ZDNet in a conversation on Twitter today, he expects that the analysis of the URLs of the public box will explode in the coming days.
He based his statement on the fact that Adversis has also opened the source tool used last year. This tool is now on GitHub and available to everyone.
Wiggins, who used the tool a few hours earlier today, said he had identified more than 2,900 companies with a Box account, but that he had not found no files open to the public for the moment.
These analyzes will take a lot of time. By default, all new Box share links are generated using random characters and users must voluntarily edit the URL with personal identity terms. This means that even if a company has a large number of files and folders hosted on Box, publicly available, all will not have custom URLs – and will be easy to find with the # Adversi analysis tool.
It will be as if you are looking for a needle in a haystack, but if these inadvertently exposed files contain highly sensitive documents, hackers will earn a big salary and bug hunters expect a big reward from the company who leaked the files. the first place.
A spokesman for Bugcrowd, a bug bounty platform, has not been able to say it ZDNet how many bug reports have been submitted in the past detailing the data leaks caused by Box accounts. However, this does not mean that the company is not willing to pay the researchers who find them.
"Over the last four years, Bugcrowd has been the scene of numerous security and privacy-related security and file-sharing security incidents," said Jason Haddix, vice president of Researcher Growth. Bugcrowd. ZDNet by email.
"Our responsible program managers typically accept these incidents and reward them with bug-generating programs, and security teams then use these incidents to strengthen their file-sharing settings and policies."
More data breach coverage:
[ad_2]
Source link