Companies that use Box.com for storing and sharing data may be leaking sensitive information. Cybersecurity company Adversis recently announced that it had discovered a potential data leakage problem in the settings of file sharing company Box.com that left information like passport photos, Social Security and bank account numbers, technology prototype and design files, employee lists, financial data, customer lists, IT data and network diagrams exposed. Among the 90 affected companies were Apple, Schneider Electric, TV network Discovery, public relations firm Edelman and nutrition company Herbalife.
The problem stemmed from a change Box made to the way users can share files and folders via links, said storage expert George Crump of Storage Switzerland. Crump said that in an effort to make things more convenient, Box changed the way it creates links to make them more intuitive. In other words, the link became more descriptive. That’s great for companies and their users, but it also tells hackers what they are likely to access by clicking on a particular link.
“Every file sharing service gives customers the ability to make files available by clicking on them, and they are usually available for anybody to access, even if they don’t have an account on the service,” he said. “They were trying to be helpful by setting up URLs to be more convenient and descriptive, but the bad guys can also see what’s being shared.”
Crump said that the blame should be shared by both Box and its customers. The main issue, Crump said, is that Box and other file sharing services have always allowed customers to choose the level of access controls based on the sensitivity of the files, but companies don’t always read the fine print. In other words, sensitive files were set to “public” when they should have been set to “private” or “people in your company.”
“If you have humans, you will have human error. That means companies have to take the initiative and protect the company,” he said. “Be careful of what you put out there. Have policies that detail what you can share, why you are sharing it, and how long you should share it.” Crump also recommended that companies proactively scan what’s being shared on an ongoing basis.
As for Box, the change it made to make the URLs more intuitive probably wasn’t a great idea, Crump said.
Box spokesman Denis Roy said in a statement that the company is taking steps to make settings clearer, to better help users understand how their files or folders can be shared, and to reduce the potential for content to be shared unintentionally, including both improving administrative policies and introducing additional controls for shared links.
Crump made it clear that while files were exposed, there has been no evidence of an actual breach.
“There is no evidence, but something could have happened months ago that nobody knows about,” he said. “It’s a warning to companies to read the fine print, think about what’s being shared, and be careful what you share.”