Companies that use Box.com as a cloud-based file hosting and sharing system might be accidentally exposing internal files, sensitive documents, or proprietary technology.
The exposure occurs due to human error, said Adversis, the cyber-security firm which investigated this issue and worked with Box and affected companies to correct it.
The problem lies with Box.com account owners who don't set a default access level of "People in your company" for file/folder sharing links, leaving all newly created links accessible to the public.
If the organization also allows users to customize the link with vanity URLs instead of using random characters, then the links of these files can be guessed using dictionary attacks.
This is what Adversis did last year. The company says it scanned Box.com for accounts belonging to large companies and attempted to guess vanity URLs of files or folders that employees shared in the past.
Its efforts weren't in vain. In a report[1] published today, Adversis said it found a trove of highly sensitive data such as:
- Hundreds of passport photos
- Social Security and Bank account numbers
- High profile technology prototype and design files
- Employees lists
- Financial data, invoices, internal issue trackers
- Customer lists and archives of years of internal meetings
- IT data, VPN configurations, network diagrams
TechCrunch[2], which was privy to some of the Adversis' research findings, said that some of the companies which exposed internal files included the likes of Apple, the Discovery Channel, Herbalife, Schneider Electric, and even Box itself.
Most of these file leaks have been fixed, and Box notified all customers last September of the dangers of using incorrect access permissions for Box.com share links.
ZDNet reached out to Box earlier today and