By -

Box Leak: Why Custom File Sharing Links Can Expose Data

Yesterday the cybersecurity firm Adversis reported that a Box leak exposed data stored by dozens of companies, illustrating some of the data privacy risks in the Box platform.

The key issue they found involved a Box feature that allows users to create custom shared links.

As Adversis found, many users in almost 100 companies (including Apple, the PR firm Edelman, and Schneider Electric) had accidentally used this feature to share private files, mistakenly believing their URL was “secret” and could not be guessed.

This was and is not the case. Here’s why.

The Problems with Simple and Predictable Links

Box’s sharing links are created in a very simple and predictable way: company.app.box.com/v/{filename chosen by user}

Box considers this a “feature” and their documentation admits that creating public custom shared links for any content may result in anyone who can guess the URL gaining access to that content. The links can be shared in “public” mode, requiring no authentication.

Indeed, Adversis managed to demonstrate this weakness by brute forcing the company.app.box.com/v/{filename} path.

Download the complete CTERA vs. Box competitive brief.

 

 

In this regard, the Box leak is reminiscent of the leaky cloud buckets we saw explode in 2018 as a result of users misconfiguring object storage buckets on public cloud infrastructure.

But as for this instance, Adversis guessed filenames by trying to download with a variety of common words used as the filename. Box enforces a rate limit to protect against brute force attacks, but it was not strict enough and enabled the researchers to easily find common filenames.

After first couple days of a running a “non-aggressive” scan, then researchers had thousands of files and terabytes of data from dozens of companies – many of the files containing sensitive information such as customer lists, archives of internal meetings, financial data and employee lists.

This exposes the companies to high risk. For example, the exposure of sensitive employee information is a clear violation of GDPR.

The Secure Path to Shared Link Creation

CTERA is different in a number of regards. We believe that products designed for storing sensitive enterprise data need to be designed to prevent situations where non-malicious employees inadvertently create data leaks. We shouldn’t assume that everyone reads the documentation and acts accordingly. If an employee of a CTERA customer inadvertently leaks sensitive data, we consider this very much our own problem, and not only a problem of the customer failing to educate their employees.

While CTERA does support public links, let’s talk a bit about how the way our product was designed, and how it is not likely to create a similar ‘Box leak.’

  1. CTERA appends an impossible-to-guess random sequence of characters to the public link URL so that it cannot be brute forced.
  2. CTERA implements strict rate limits so that a brute force attacker is caught and blocked after only a few failed attempts to provide the a URL with the right secret key.
  3. CTERA implements DLP integration in partnership with Symantec Data Loss Prevention. You can set up Symantec Data Loss Prevention (as seen below) to scan for confidential and sensitive data (for example, credit cards numbers and private personal data) and based on the contents, automatically prevent this data from being shared externally.

Not only that the link sharing mechanism is designed with secure corporate files in mind, we allow an administrator to control which of his users can share, using public links and other methods, using our fine-grained collaboration policies, or ‘file-wall’ technology, as we refer to it.

Data Privacy Beyond Links

CTERA is also inherently more secure than Box by running as a pure private solution instead of as a Shared SaaS. Even employees of CTERA cannot see your data, and there is no risk of blind subpoenas – you own all the infrastructure and the keys, so CTERA cannot supply your data even in the event of a court order.

Learn why Gartner named CTERA to the Magic Quadrant for Content Collaboration Platforms.

Bear all of this in mind as you evaluate the file sharing and collaboration requirements in your organization. CTERA helps security-focused organizations enjoy the same levels of user-friendly file sharing without compromising data privacy. If we can help you avoid a future Box leak, drop us a line.

Aron Brand is CTERA’s Chief Technology Officer. Follow Aron on Twitter  Twitter icon

Categories: Insight

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *