Monday March 11, 2019

Careless Employees Expose Sensitive Data as Public on the Cloud

Adversis has discovered employees at numerous companies are sharing files by enabling public file sharing in Box Enterprise. This combined with the ability to brute force the the sub-domain, URL, and folder names of Box Enterprise accounts means that these sensitive files, documents, and more are easily discovered and some are even being indexed by Google. Files found by Adversis include hundreds of passport photos, social security and bank account numbers, tech prototype and design files, employee lists, financial data, invoices, VPN configurations, and more.

It is unknown how Box Enterprise can be changed to save employees from themselves. This is not a vulnerability or bug as public sharing is a feature of Box Enterprise. Adversis noted that in 2014 the issue was brought up and ignored by companies. Box released a Public Service announcement, but most companies ignored it also. Techcrunch listed some of the interesting files discovered on Box including passwords and backdoors for major municipality public works, customer phone numbers; names and email addresses, healthcare provider patient information, and more. Adversis has open-sourced its scanning tool.

News Image

Box spokesperson Denis Roy said in a statement: "We take our customers' security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or 'open'. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links."

Discussion