Apple among 90+ firms whose private data has been leaked from their Box account

A recent investigation carried out by cybersecurity firm Adversis showed that corporate data belonging to over 90 companies was being inadvertently leaked by users of Box accounts. Box is a cloud-based data management service similar to OneDrive and Google Drive. [caption id=“attachment_6241241” align=“alignnone” width=“1280”] Box Drive for Mac. Image: YouTube[/caption] **Apple** is one of the high-profile names included in the list, though even Box employees are included. As per a report in TechCrunch, this “breach” is a result of users sharing public links to private data. Services like Box, OneDrive, Google Drive and others allow users to share data with others via public or private links. Public links are accessible to everyone and don’t require the setting of additional permissions, making them very convenient for sharing, but also, literally, leaving the data being linked open to the public.

Security researchers found that these companies had no idea that they were leaking sensitive corporate and customer information when public links to files were shared. Box accounts, especially enterprise accounts, are private by default, but users are allowed to share files with anyone. The TechCrunch report reads, " Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders." Adversis in its blog post wrote that the privacy problem exists on a huge scale and it was impossible to reach out to all the companies, but it “alerted a number of companies that had highly sensitive data exposed.” Also, it was extremely easy to find the information. All Adversis did was take the known domain and sub-domain names for companies with box accounts (http://company.app.box.com/).  

If your company is using #Box with custom domain, try brute-forcing /v/path (https://t.co/RcF6wWtXSx). There could be a lot of confidential data exposed. #BugBounty #Security

— Nenad Zaric (@ZaricNenad_) June 7, 2018

Adversis states that it discovered, “hundreds of thousands of documents and terabytes of data exposed across hundreds of customers. A sampling of data they found includes:

• Hundreds of Passport Photos
• Social Security and Bank Account Numbers
• High profile technology prototype and design files
• Employees lists
• Financial data, invoices, internal issue trackers
• Customer lists and archives of years of internal meetings
• IT data, VPN configurations, network diagrams

The security firm had reported the issue back in September and gave the companies time to take down all their exposed information. TechCrunch reported that the companies “Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare all reconfigured their enterprise accounts to prevent access to their leaking files” after it reached out to them. Denis Roy, Box spokesperson stated that they take their " customers’ security seriously” and said the company plans to reduce the unintended discovery of public files and folders.