A new report regarding Box, one of the most widely used corporate cloud-sharing tools, highlights what could happen if your cloud-sharing settings aren’t correctly set.
The cloud is an important part of the modern workforce, but poor configuration of key tools and improper training can unwittingly leave your most sensitive data in the public sphere.
This is the finding of a security firm, Adversis, which is warning about one tool in particular, Box Enterprise. The firm noted that the technology was designed in a way that made it easy to share a link publicly, trace it back to the original company (because the Box account is associated with a company through a subdomain), and potentially download files that have previously been linked publicly through intelligence-gathering techniques. This issue is most concerning for files shared using custom URLs, which can be easier to guess than the randomized links that Box generally relies on.
The problem, the firm noted, is essentially the same as one you might find if you’re using a file service on Amazon’s Simple Storage Service (S3): someone who is willing to dig through a public folder might just find something good. But considering the use case is different—a Box server is intended as a way to safely share valued corporate information, and generally allows for detailed controls on access—this finding is worrying, Adversis says.
“A large percentage of the Box customer accounts we tested had thousands of sensitive documents exposed. We alerted a number of companies that had highly sensitive data exposed, reached out directly to Box, and published this write-up,” the company stated in a blog post. “If your company uses Box, there is a good chance you are leaking sensitive data already, and you may want to finish reading this after you disable public file sharing.”
In comments to TechCrunch, Adversis noted that much of the data is legitimately public—but a lot of it, some on servers owned by major companies, was clearly intended to be private. This includes customer data, scanned passports, and internal proposals.
“There is simply too much out there and not enough time to resolve each individually,” the firm told TechCrunch.
Adversis recommended that the solution to this problem might involve stronger defaults—instead of letting files be shared with anyone, set the default to something that can be shared only within your organization. This was something that many of the companies pointed out in the TechCrunch report did when alerted to the sharing limitation.
For its part, Box spokesman Denis Roy stated the firm was working to improve clarity on its default settings.
“We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links,” he told the outlet. (Details regarding the exact changes, including turning off custom URLs by default, can be found on the company’s blog.)
Even if you’re not using Box, it’s worth taking a close look at your defaults with a cloud-sharing tool. You never know who might be snooping around your server.