Box.com Flaw Enables Folder/File Access To Unauthorized Users
A critical flaw in Box.com cloud-storage solution was recently discovered that make files stored in the service accessible by external unauthorized users if users are not security-conscious. Box.com is a mainstream cloud-storage service with many corporate account holders storing their personal and business files in the encrypted storage service. The corporate account is at risk, given that not everyone using such account sets the access restrictions under “people in your company” when sharing a file or folder from Box.com to other people. Leaving the default settings for sharing links makes the files shared public, anyone that gets a hold of the URL address gets access to the file without a need to authenticate themselves first.
Box.com also allows their corporate customers to create “Vanity” URLs, links to files shared through the service by customizing the URL itself instead of a machine-generated URL. The special subdomain using a Vanity URL can be subjected to a brute-force attack to guess the entire URL. Access to the URL means access to the entire folder structure that the link points to. It was first reported more than 18-months ago by Nenad Zaric, but no one from Box.com took the bug seriously, and it was left open for many months until now.
Shared files are under the following URL format:
The attacker only needs to create a simple program that will attempt to guess the folder name structure in succession using a dictionary attack or a brute-force attack, this will reveal files underneath those folders. To mitigate the concern, Box launched a microsite where they give the instructions on how to harden the weak system, lessening the chances of a successful infiltration of box.com storage by unauthorized users.
“To ensure that the right people have access to shared content, you can configure access controls on a Box Shared Link: People with the link (public/open); People in your company or People in this folder/file setting. You can also enable security controls such as password-protection and expiration policies on shared links. In addition to user-level security controls, company Box administrators can apply enterprise wide security controls on Shared Links. Coupled with appropriate security controls based on the sensitivity of the content, Shared Links provide a frictionless and secure way to collaborate,” explained Box.com spokesperson.
Box.com also discourage the use of Vanity URL for sharing Box.com files to other people outside the organization. “We provide admins tools to run various reports on open links across their enterprise, as well as to disable open and custom URLs for their enterprise. Admins can also ensure that ‘People in the Company’ is the default setting for all shared links to limit the potential for a user to set a [file] as public inadvertently. We don’t proactively scan our customers’ deployments, but if customers need assistance or need to examine a specific issue we will work with them to examine their links and identify any potential issues,” added Box.com spokesperson.
Julia Sowells921 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.