Box links are leaking sensitive data and documents from more than 90 companies, warn security specialists

Technology prototypes and design files, bank account numbers and passwords among the data inadvertently publicly shared over Box

More than 90 major companies are exposing sensitive data via the sharing of public links to documents stored on their Box enterprise storage accounts.

That's the warning of security specialists at Adversis, which suggests that staff often don't realise that sharing links to documents stored on Box can make them public property.

Not only are those links relatively easily discoverable, but Adversis also found that some public folders were indexed by search engines, making the shared documents even more easy to find.

The company claimed that it had found hundreds of passport photos, bank account and US Social Security numbers, high-profile technology prototypes and design files, passwords, employee lists, VPN configurations and financial data, including invoices and receipts.

"In the first couple days of a running a non-aggressive scan, we had thousands of files and terabytes of data from dozens of companies," Adversis claimed. "A lot of the data was, indeed, public information or simply marketing material, but a considerable amount was sensitive.

"If your company uses Box, there is a good chance you are leaking sensitive data already and you may want to finish reading this after you disable public file sharing."

Apple, television network Discovery, flight reservation system Amadeus and nutrition company Herbalife have all been exposed in this way, along with Box itself, according to TechCrunch. Adversis said it contacted Box as long ago as 24 September 2018, but said there was little overall improvement six months after its initial disclosure.

However, Box founder and CEO was quick to swing into action with promises of security improvements when Adversis went public with its findings yesterday.

https://twitter.com/levie/status/1105180044538929152?ref\\_src=twsrc%5Etfw

The company also issued a formal statement suggesting that it was "taking steps" to raise awareness about the company's privacy settings when it comes to sharing files.

"We take our customers' security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing," a spokesperson said.

"In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or 'open'.

"We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links."

The company also published a blog post outlining how corporate customers can share their information more securely on the platform.

For example, it's advising that users configure Shared Link default access to 'People in your company', that administrators regularly run a shared link report and that users do not create public (open) custom shared links to content that is not intended for public consumption.