Box.com has been revealed to feature a security bug which gives criminals the ability to access arbitrary public data, continue reading our article for more information.
Box.Com Public Data Accessible Can Be Accessed Easily
The cloud storage service has recently changed the way publicly shared accounts show their data and folders. After the change was adopted a security researcher has uncovered how specific search engine strings can be used to find links to such shared data.
This bug has been labeled as a “flaw” and is related to the way Box.com handles their customers data. The problem lies in the fact that the service allows remote attackers to access sensitive information which is stored on Collaborative accounts. These types of accounts allow multiple users to work on various documents and upload files. Some of the more well-known organizations and companies that use them are Dell Technologies, Discovery Communications and others.
Via Google, Bing and other search engines the security researcher was able to discove invite codes to more than 10000 public collaborative documents or accounts. While many of them contain non-important information some of them were labeled as confidential. During a test scan it was discovered that several sensitive financial and property data was found.
It is possible that this flaw can be classified as a data leakage incident. Using search engine queries to access account data is one of the main identifiers of this type of security vulnerabilities.
The problem lies in the fact that Box.com allows outside participants to gain access to the shared files and folders. When an outside party is invited to collaborate they are allowed through an invite URL generated by the system. The security flaw happens when the service automatically creates a landing page. A problem in the design of these pages has given access to the indexing bots used by the search engines. By default the Collaboration links give Editor permissions which gives the attackers the ability to download, view, upload, edit and rename the target files.
According to Box.com they are indexed by search engines after they are explicitly shared by the account holders on third-party web sites. The service has stated that they have contacted Google and have restructured and modified the invite system to resolve the problem.
At the moment it is not known what percentage of Collaborative accounts using the Box.com service are affected by the incident.