Confidential Apple files exposed to public in misconfigured Box account

article thumbnail

A poor configuration of the cloud storage service Box has left sensitive data open to viewing by unauthorized users, security researchers have discovered, with Apple and other prominent companies found to have inadvertently left files and folders accessible to the public.

Cloud storage services tout security alongside the ability to easily share data with other users or to the public, but using such services are usually accompanied by the risk of a breach by online criminals, something that firms work to prevent. Even so, a breach isn't necessarily needed for data to be accessed by unwanted parties, as sometimes it can simply be a poor configuration.

Researchers from cybersecurity firm Adversis have discovered numerous major customers of Box Enterprise are risking their data by taking advantage of the sharing functionality of the service, reports TechCrunch. In researching the problem, hundreds of thousands of documents and terabytes of data were found to be accessible from the storage of hundreds of Box's clients.

The issue lay in the way that files could be shared by links on custom domains. Once a link was found, it was possible for researchers to discover other secret links on a subdomain by brute force.

According to Adversis, Box advised account administrators configure shared link default access to "people in your company" to minimize exposure to the public. Running a regular shared link report would help discover active links that could be deactivated over time, and recommends that users do not create public custom shared links to content "that is not intended for public consumption."

Data discovered by the firm includes passport photos, bank account numbers, Social Security numbers, passwords, lists of employees, and assorted financial and customer data. In the case of Apple, it was found to have several folders exposed containing "non-sensitive internal data," like log files and price lists.

Other identified firms include Amadeus, Discovery, Herbalife, Edelman, Pointcare, and Box itself. Since the reporting of the issue, all the identified companies have reconfigured their enterprise accounts.