While data and documents uploaded to Box Enterprise accounts are technically private, users can share access via links, some of which can be made publicly viewable by anyone who happens to have the URL. And Adversis found that some companies have revealed those secret links — some were even been indexed by search engines. Adversis initially planned to reach out to companies individually but quickly realized the scale of the problem went beyond that.
Box released the following statement regarding the report: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or “open.” We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”
It’s important to note that some Box URLs being theoretically accessible by anyone to see isn’t a flaw or mistake in their system. The company notes that it has many different ways to share content — files can be totally private, accessible only to specific users or accessible to anyone who has the URL in question (a public link). Users can also set custom URLs, which is primarily what Adversis’s study refers to.
Box itself specifically says that if a public Box URL is shared somewhere where others can find it, like a website that might be indexed by Google, that content will be accessible. Best security practices call for not sharing those links publicly. The same is doubly true for public Box links with custom URLs — those may be useful for internal sharing but shouldn’t be shared outside a trusted set of people.
To address the concerns raised by situations like Adversis found, Box is taking a number of steps. For starters, the Box admin console is now set to disable public custom shared URLs by default; unless a admin changes that, users won’t be able to share links in that fashion. Additionally, the default privacy setting for shared links is set to “people in your company,” and that default can only be changed by an admin. Finally, Box is also working with companies who use its tools to make sure they know how to audit public and custom URLs in their organization and make them more secure, if necessary.
According to TechCrunch, Apple, the television network Discovery, flight reservation system Amadeus, nutrition company Herbalife and Opportunity International were among the companies whose data was available in public links. It includes everything from customer emails and phone numbers to patient insurance information and public works project details.
Ultimately, the major issue here appears to be a disconnect between how people use Box’s pubic URLs and not so much a security concern. To that end, Box is improving the user education when people use its product to share URLs to make it clear what potential there is for data exposure so that users choose the security level that’s right for them.
Update: 3/11/19 5:25PM ET: This post has been extensively updated to include a statement from Box as well as details about how the company is making it easier for users to understand how its public URLs work and how to properly secure their content. We’ve also updated the headline to reflect the updated story, as this data exposure didn’t come directly from a lack of security on the part of Box.