[BreachExchange] Misconfigured Enterprise Box accounts leak terabytes of sensitive internal data

[Destry Winant]

https://securityboulevard.com/2019/03/misconfigured-enterprise-box-accounts-leak-terabytes-of-sensitive-internal-data/

Pen-testing experts have made a worrisome discovery regarding the
popular cloud storage service Box, specifically the Enterprise version
used by some of the world’s biggest companies.

Following up on a warning issued by infosec geeks earlier last year
that failed to gain traction, Adversis researchers discovered a lot of
sensitive data belonging to major companies and corporations stored in
publicly accessible “buckets.”

During testing, they found that links to sensitive internal files can
be determined by brute forcing them (i.e. guessing them), resulting in
the exposure of terabytes of sensitive data. This data included
passport photos, Social Security and bank account numbers, prototypes
and design files, employee lists, financial data, invoices, internal
issue trackers, customer lists, archives of years of internal
meetings, IT data, VPN configurations, network diagrams, and more.

This is not a bug, the team notes, but rather a misuse of the shared
folders functionality. Before going online with their findings, the
researchers gave a heads up to a number of companies that had “highly
sensitive data exposed.” They also reached out directly to Box. The
latter soon updated its “shared links” documentation to clarify what
companies need to do to keep their Box shared files and folders
secure:

“Creating public custom shared links for any content may result in
anyone who can guess the URL gaining access to that content. To reduce
risk to sensitive content, we recommend that:

- Administrators configure Shared Link default access to ‘People in
your company’ to reduce accidental creation of public (open) links by
users.
- Administrators regularly run a shared link report (as described
here) to find and manage public custom shared links.
- Users do not create public (open) custom shared links to content
that is not intended for public consumption”

According to TechCrunch, among the companies with internal data
exposed through misconfigured Box buckets are flight-reservation
service Amadeus, television network Discovery, nutrition giant
Herbalife, PR firm Edelman, medical insurer PointCare, and even Apple
and Box themselves.