Apple is one of a number of high-profile companies which had corporate data exposed through their Box accounts, an enterprise cloud storage service.
In all, cybersecurity firm Adversis found that data from more than 90 companies was exposed …
TechCrunch reports that the issue arose due to a weakness with the public link feature offered by Box.
Adversis wrote in a blog post that the privacy problem existed on a massive scale.
Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.
Essentially all Adversis did was take known domain and sub-domain names for companies with box accounts (http://company.app.box.com/) and then use a dictionary attack to identify valid links.
A sampling of data we found:
- Hundreds of Passport Photos
- Social Security and Bank Account Numbers
- High profile technology prototype and design files
- Employees lists
- Financial data, invoices, internal issue trackers
- Customer lists and archives of years of internal meetings
- IT data, VPN configurations, network diagrams
The security company first reported the issue to Box back in September, and has waited until today to make it public, to give companies time to remove sensitive data.
TechCrunch said that while many companies exposed sensitive data, that did not appear to be the case with Apple – which has since taken steps to protect its information.
Box said that it is taking action.
Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare all reconfigured their enterprise accounts to prevent access to their leaking files after TechCrunch reached out.
Box recommends that customers use access controls, such as limiting availability to those with company email addresses, password-protection and expiration policies.
The cloud giant said it plans to reduce the unintended discovery of public files and folders.
