10,000 Private Box.com Docs Found In Public Domain

A file-sharing system considered safe for enterprises to use for protected document collaboration had its assets show up on Google searches recently.

A threat intelligence researcher from Swisscom, Markus Neis, came across Box.com files shared among enterprises such as Dell Technologies, Discovery Communications, Illumina, and other accounts held by individuals, according to multiple reports.

Between Google and Bing searches, Neis said he was able to find official invites to some 10,000 public Box.com collaborative accounts and documents, some of which contained confidential information, including financial and proprietary company data that was not intended to be shared publicly.

Box is a cloud-based file-sharing system that integrates with platforms from Microsoft, Google, IBM and SalesForce, and touts its ability to offer a secure mobile experience while utilizing third-party EMM providers.

In a prepared statement to Enterprise Mobility Exchange, Box said, “Secure content sharing is core to Box. Because every user and customer have different sharing needs, we provide many options to make it easy to share content with settings that are as open or as restrictive as needed. We’ve invested a lot in our security model around shared links and continue to explore ways to mitigate any potential issues.”

The company went further, saying users may have been utilizing features that created open pathways to the content without knowing.

“A security researcher points out that if a user publishes an "open" link to a public web page (such as the customer's website or blog) search engines like Google, who are continuously crawling the public web, can index those links, potentially making a collaboration page discoverable to a wider audience than the user may have intended,” the statement said. “This was never the intent of this feature, and we've since taken extra precautions to make this feature more usable and secure, including ensuring no collaboration links are indexed by Google:

  • We contacted Google and the other major search engines to have them remove any public collaboration invitation links from their index. We also proactively disabled those public links that had been indexed. 
  • We made a change to our collaboration invite pages to ensure that they will not be indexed by Google search engines in the future.
  • Finally, we've changed the default settings on folders to require folder owners to turn on the collaboration invitation feature to ensure collaboration links aren't generated inadvertently. "

As previously reported by Enterprise Mobility Exchange, customers don’t have any opportunity or ability to monitor the security structure of a public (cloud) provider, unlike private clouds where customers are in charge of security implementation and monitoring.

Securing the cloud will be up for discussion at Enterprise Mobility Exchange’s Security West event, April 24 and 25 in Phoenix, Arizona. The agenda topic “Successfully Extending Your Securities To The Cloud” will touch on identifying the vulnerabilities in your security when it comes to cloud; which service – IaaS, SaaS, or PaaS – provides the most comprehensive security; and how can one remediate threats to the cloud?

The Exchange is where 40 CIOs, CISOs, Directors, VPs, and Heads of IT will gather for an information sharing strategy session, featuring a two-day agenda packed with speakers, roundtables, and networking opportunities.

To learn more about the Exchange format and how it works, visit the Security West Coast site here.

To keep up with industry news, sign up for Enterprise Mobility Exchange’s newsletter here, follow us on Twitter @mobilityxchange, and join our LinkedIn group, Enterprise Mobility Exchange, by clicking here.