Adversis researchers have discovered that dozens of companies have leaked sensitive data as a result of misconfigured Box accounts.
Box is a cloud based “content management platform” primarily used to share files and folders and similar to AWS S3 buckets. The files can be shared to anyone with the link, restricted to those within a specified company, or to specific users, according to a March 11 post.
The researchers found major tech companies and corporate giants have inadvertently left their data exposed revealing hundreds of passport photos, social security and bank account numbers, as well as high-profile technology prototype and design files.
In addition, they found employee lists, financial data, invoices, internal issue trackers, customer lists, archives of internal meetings, IT data, VPN configurations and network diagrams.
Despite the Box enterprise accounts being set to private by default, users can share files and folders with anyone, making data publicly accessible with a single link that can be discovered by others.
Anyone on the web could obtain these links and researchers were able to find more than 90 companies with publicly accessible folders by scanning for and enumerating Box accounts with lists of company names and wildcard searches.
Researchers even found Box’s own staff was leaking data and that some public folders were scraped and indexed by search engines, making the data more easily accessible.
Jason Haddix, vice president of researcher growth at Bugcrowd, noted that permissions on document and file sharing services are a big risk today but the issue is not specific to just Box since services like Dropbox and Google Drive all share the same inherent risk associated with file sharing.
“Despite what any company’s security team might say, people are still going to use these services because the collaboration capabilities and ease of use far outweigh any security fears for users,” Haddix told SC Media.
“To make sharing easier, users often make these files accessible to anyone with the hyperlink. These links then get shared from user to user, eventually traversing other networks and making their way into other documents.”
Haddix added that given this life cycle, there have been numerous privacy- and security-related incidents associated with file sharing misconfigurations over the years. Identifying and patching vulnerabilities in these platforms is key for organizations to strengthen their file-sharing permission settings and policies.
“Today’s business users have a myriad of applications that they can work from to get their jobs done – whether that’s in structured systems like SAP or unstructured systems like cloud file sharing platforms,” SailPoint Chief Marketing Officer Juliette Rizkallah told SC Media.
“While this gives users the freedom to work however and from whatever device or application that makes them most productive, the increasing use of these applications and devices can potentially expose an organization to costly consequences such as fraud, misuse of data and privacy breaches,” she said.
Rizkallah added that while many organizations have identity programs in place, most fall short of extending their identity governance programs to include governing access to data.
As a result, enterprises need to govern access to data no matter where it resides and have greater visibility into “who has access to what.”