Misconfigured Box accounts leak terabytes of companies’ sensitive data

If your company uses Box for cloud-based file sharing, security researchers are advising you to stop reading right now and immediately disable public file sharing: vanity-named subdomains and URLs are “easily brute-forceable,” leaving companies’ publicly shared data open to extremely easy attacks.

Security firm Adversis published a report on Monday after using a “relatively large” wordlist to uncover hundreds of Box customers’ subdomains, through which they could access hundreds of thousands of documents and terabytes of extremely sensitive data.

A sampling of what the researchers found:

  • Hundreds of passport photos
  • Social Security and bank account numbers
  • High-profile technology prototype and design files
  • Lists of employees
  • Financial data, invoices, internal issue trackers
  • Customer lists and archives of years’ worth of internal meetings
  • IT data, VPN configurations, network diagrams

Adversis says its initial impulse was to reach out to all the affected companies, but the scale of the task ruled that out. After finding that a large percentage of Box customer accounts that it tested had thousands of exposed, sensitive documents, the firm alerted some of those companies, gave Box a heads-up – that was on 24 September – and published its report.

As Box Chief Customer Officer Jon Herstein said in a blog post on Sunday, Box offers various ways for its customers to allow content sharing both between employees and outside the company.

Data stored in Box enterprise accounts is private by default. But in order to make it easy for its customers to share content with large groups – be it privately or publicly – Box offers the “Custom Shared Link” feature, which enables its customers to customize the default secure shared links so they’re easier to find. Box gives the example of a car company that wants to distribute public press releases for a product launch: you can see where the car company would like the idea of customizing the URL to read something like this: https://<carcompanyname>.app.box.com/v/<pressrelease>

This is neither a bug nor a vulnerability, mind you. It’s simply a way to easily make data publicly accessible with a single link. In fact, Adversis noted, it was called out as an easy attack method back in June 2018:

The problem: with this type of predictable URL formulation, these “secret” links are easy to discover. So that’s what Adversis did: its researchers whipped up a script to scan for and enumerate Box accounts with lists of company names and wildcard searches. It easily found Box customer accounts by checking https://<companyname> .account.box.com. If that link returned a target company’s logo, that meant it’s a paying customer and is “probably susceptible,” the firm said.

Then, the researchers sat back and watched the wave come in:

At that point, we began brute forcing folder and file names which began returning results faster than we could review them.

Much of the data, found leaking in subdomains of dozens of companies, was harmless, in that it was meant to be public. But then too, there was all that “oh, dear!” data:

These included passport photos, prototype details with raw CAD files for some very prominent new and coming tech, Social Security Numbers, financial documents, internal IT data including network diagrams and asset information, and innumerable “confidential” slide decks.

Who’s leaking data?

Adversis says it contacted a “small minority” of affected companies and vendors, most of which promptly closed the leak. Box acknowledged the issue and updated its file-sharing guidelines.

Adversis gave TechCrunch a list of some of the exposed Box accounts, and the publication contacted several of the big names on that list. Those big companies represent a smorgasbord of industries: from a flight reservation system maker, on to a nonprofit that handles corpse donations, a TV network, Apple (though the tech behemoth apparently only exposed what looked like non-sensitive internal data, such as logs and regional price lists), and more.

The data exposed included default passwords and, in some cases, backdoor access passwords in case of forgotten passwords; a PR firm’s detailed proposal plans and more than a dozen resumes of potential staff for the project, including names, email addresses, and phone numbers.

That list of exposed accounts included even Box itself. From TechCrunch:

Box, which initially had no comment when we reached out, had several folders exposed. The company exposed signed non-disclosure agreements on their clients, including several U.S. schools, as well as performance metrics of its own staff, the researchers said.

What to do

Box recommended making these changes to deal with the issue of URL guessing and subsequent leakage:

  • Administrators configure Shared Link default access to ‘People in your company’ to reduce accidental creation of public (open) links by users.
  • Administrators regularly run a shared link report (as described here) to find and manage public custom shared links.
  • Security Administrators leverage third-party SIEM or log tools to consistently review suspicious content activity across your enterprise.
  • Users do not create public (open) custom shared links to content that is not intended for public consumption.
  • Users only post shared content with open shared links on public web pages if you want the content to be indexed and available by Google and available for public consumption.

Box says it’s working on improving Box security by…

  • Adding more user education to the link settings tool on Box to make the potential implications of public link access even more clear, and advising that no sensitive content ever be shared with this level of permission.
  • Improved admin policies for public shared links, including changing the default setting in the Box Admin console to disabled public custom shared link URLs until a company Box Admin decides to enables it; and setting the default access level for shared links in Admin console to “people in your company.” That default can only be changed by a company’s Box Admin. As a result, in a default configuration of Box, end users will need to expressly change the shared link setting to “people with the link” to make the link externally accessible.
  • More stringent controls to reduce unintended content access. Box says it’s working on a variety of methods to limit the unintended discovery of open/public links and prevent content access by external parties.

For its part, Adversis has open-sourced and published the scanning tool it used to find the exposed accounts. Aptly enough, the tool’s name is PandorasBox.