Software as a Service (SaaS) providers are becoming more numerous by the month. Think of things like Salesforce. While Box functions a bit differently, it still contains a great deal of sensitive information.
Thanks to “improperly configured” accounts, many users’ data are now compromised.
Cybersecurity firm Adversis investigated the issue once discovered last year. As a result of their digging, they found out exactly why it happened, what was compromised, and how to fix the problem.
A Longstanding User Error Exposing Private Data
In total, more than 90 companies fell victim to this data leak. Essentially, if a company had not properly adjusted their folders, anyone could publicly access them. However, simple public access is just the tip of this inadvertent iceberg.
Adversis went on to say that search engines even indexed some of the public folders. That means that whatever data the folders held can now be found more easily by anyone searching for it.
The leaked data included some of the following types:
- Passport photos
- Social security numbers
- Bank accounts
- Employee lists
- Financial data such as invoices or receipts
- Passwords
Adversis notified Box once it discovered how compromised the sensitive data was. Due to the prolific nature of the leak, Box cannot deal with each case individually. What’s worse, this is not the first time Box has had this issue as you can see in the below tweet from 2018.
Ensure Your Protection by Using Box Appropriately
In addition to the folder access setting, vanity URLs created problems, as well. Anyone wishing to gain access could use dictionary attacks to guess the links of random characters in the URLs.
Though Box notified clients of the issue in September of 2018, the issue persists.
Thankfully, since Adversis is open source, you can read all about their process here. They outline the issue, how to fix it, and what steps they took to identify the leaks. If your company uses Box, you may want to follow their steps to protect your data.
They also take time to mention that this is a feature and not a bug or vulnerability. Despite this notation, only time will tell if Box escapes the revelation unscathed.
Comments (0)
Most Recent