Categories: Cloud

Box Increases Security After Researcher Accesses Confidential Data

Box is at the centre of a privacy issue after a security researcher discovered confidential user documents and data using generic search engines.

The cloud collaboration specialist confirmed it has changed how it handles publicly shared accounts and folders, but denied a flaw with its systems was to blame, and it said it has now added extra precautions to safeguard user data.

Data Leak

The Box.com data issue was reportedly discovered by Markus Neis, threat intelligence manager for Swisscom, according to Threatpost.

According to Neis, the problem arose because of the way Box handles shared cloud storage accounts. He alleged that could have allowed attackers to access sensitive data stored on “Collaborative” Box accounts managed by businesses and individuals.

Companies such as Dell Technologies, Discovery Communications and biotech firm Illumina, as well as individual accounts, were said to have been affected.

There is no word on the precise numbers involved (although the numbers are said to be relatively small).

The issue seems to have arisen after Neis discovered he could find official invites to more than 10,000 public collaborative Box accounts or documents, just by using Google, Bing and other search engines.

Neis said many of the accounts contained benign data, however other Box accounts contained documents labelled “confidential” and included sensitive financial and proprietary data owners did not intend to share publicly.

“From an attacker’s perspective this is great,” Neis was quoted as saying. “As well gaining access to sensitive information this opens the door to social engineering attacks.”

Loading ...

Indexing Issue

So what exactly caused the data breach?

Well, according to Neis, the problem is related to the way Box allows Collaborative account holders to invite outside participants to gain access to shared files and folders.

It seem that when an outside participant was invited to access or “collaborate” with a Box cloud storage account, an invite URL was generated. This URL leads to an automatically generated Box.com landing page, which in some some cases was being indexed by Google, Bing and other search engines.

“There was a huge number of invite links that got indexed because people were posting these links online,” he is quoted as saying. “There were also a lot of links found without being able to find references where these links were coming from.”

Extra Safeguards

But Box said the issue had arisen due to a feature, rather than a flaw, and told Silicon UK that extra safeguards had been taken.

“Secure content sharing is core to Box,” Box told Silicon . “Because every user and customer have different sharing needs, we provide many options to make it easy to share content with settings that are as open or as restrictive as needed. We’ve invested a lot in our security model around shared links and continue to explore ways to to mitigate any potential issues.”

It seems that Box has made changes to the settings for open collaboration invites and links, including taking extra precautions to ensure no collaboration links are indexed by Google.

Silicon understands that Box has contacted Google and other search engines to remove any public collaboration invitation links from their index, and has proactively disabled those public links that were indexed.

It has also changed its collaboration invite pages to ensure that they will not be indexed by Google search engines in the future, and has changed the default settings on folders to require folder owners to turn on the collaboration invitation feature to ensure collaboration links aren’t generated inadvertently.

How much do you know about the cloud? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

24 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago