Confidential Apple files exposed to public in misconfigured Box account
A poor configuration of the cloud storage service Box has left sensitive data open to viewing by unauthorized users, security researchers have discovered, with Apple and other prominent companies found to have inadvertently left files and folders accessible to the public.
Cloud storage services tout security alongside the ability to easily share data with other users or to the public, but using such services are usually accompanied by the risk of a breach by online criminals, something that firms work to prevent. Even so, a breach isn't necessarily needed for data to be accessed by unwanted parties, as sometimes it can simply be a poor configuration.
Researchers from cybersecurity firm Adversis have discovered numerous major customers of Box Enterprise are risking their data by taking advantage of the sharing functionality of the service, reports TechCrunch. In researching the problem, hundreds of thousands of documents and terabytes of data were found to be accessible from the storage of hundreds of Box's clients.
The issue lay in the way that files could be shared by links on custom domains. Once a link was found, it was possible for researchers to discover other secret links on a subdomain by brute force.
According to Adversis, Box advised account administrators configure shared link default access to "people in your company" to minimize exposure to the public. Running a regular shared link report would help discover active links that could be deactivated over time, and recommends that users do not create public custom shared links to content "that is not intended for public consumption."
Data discovered by the firm includes passport photos, bank account numbers, Social Security numbers, passwords, lists of employees, and assorted financial and customer data. In the case of Apple, it was found to have several folders exposed containing "non-sensitive internal data," like log files and price lists.
Other identified firms include Amadeus, Discovery, Herbalife, Edelman, Pointcare, and Box itself. Since the reporting of the issue, all the identified companies have reconfigured their enterprise accounts.
Cloud storage services tout security alongside the ability to easily share data with other users or to the public, but using such services are usually accompanied by the risk of a breach by online criminals, something that firms work to prevent. Even so, a breach isn't necessarily needed for data to be accessed by unwanted parties, as sometimes it can simply be a poor configuration.
Researchers from cybersecurity firm Adversis have discovered numerous major customers of Box Enterprise are risking their data by taking advantage of the sharing functionality of the service, reports TechCrunch. In researching the problem, hundreds of thousands of documents and terabytes of data were found to be accessible from the storage of hundreds of Box's clients.
The issue lay in the way that files could be shared by links on custom domains. Once a link was found, it was possible for researchers to discover other secret links on a subdomain by brute force.
According to Adversis, Box advised account administrators configure shared link default access to "people in your company" to minimize exposure to the public. Running a regular shared link report would help discover active links that could be deactivated over time, and recommends that users do not create public custom shared links to content "that is not intended for public consumption."
Data discovered by the firm includes passport photos, bank account numbers, Social Security numbers, passwords, lists of employees, and assorted financial and customer data. In the case of Apple, it was found to have several folders exposed containing "non-sensitive internal data," like log files and price lists.
Other identified firms include Amadeus, Discovery, Herbalife, Edelman, Pointcare, and Box itself. Since the reporting of the issue, all the identified companies have reconfigured their enterprise accounts.
Comments
Apple creating their own OneDrive or Sharepoint equivalent never happened... (which would have been cool)
But, I doubt anything really confidential of Apples would have been on Box. It was probably marketing stuff, like Apple's “Shot on iPhone” photo contest...
Tell me again why Apple can't provide their own solution to this if I can build one in a basic *unix environment for almost nothing with not much thought? Much less using a third-party like Box for "confidential" documents?
I'm just scratching my head over here trying to figure this one out.
So true. Box also has some glitches that can make your stuff disappear. Especially after confirming it had backed up your info.