Discovered by cybersecurity firm Adversis, dozens of tech companies and corporate giants have been inadvertently leaking sensitive corporate and customer data because of misconfigured Box enterprise storage accounts, TechCrunch is reporting.
The security researchers found that even though files stored in Box enterprise accounts are private by default and can only be shared by generating private links for sharing files and folders with others, some of these ‘secret links’ can be discovered by others.
Adversis discovered over 90 companies with publicly accessible folders, including Apple, by using a script to scan for Box accounts with lists of company names and wildcard searches. Even Box’s own staff were found to be leaking sensitive data.
Apple, which has now reconfigured its enterprise accounts, had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists.
Worse, some public folders were scraped and indexed by search engines, making the data found more easily.
Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts, and customer data among the data found. The company contacted Box to warn of the larger exposures of sensitive data but noted that there was little overall improvement six months after its initial disclosure.
Adversis has already advised Box administrators to reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.
Update: A Box spokesperson emailed iPhone in Canada the following statement:
We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or “open.”
We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.