Box.com Flaw Enables Folder File Access To Unauthorized Users
A critical flaw in Box.com cloud-storage solution was recently discovered that make files stored in the service accessible by external unauthorized users if users are not security-conscious. Box.com is a mainstream cloud-storage service with many corporate account holders storing their personal and business files in the encrypted storage service. The corporate account is at risk, given that not everyone using such account sets the access restrictions under “people in your company” when sharing a file or folder from Box.com to other people. Leaving the default settings for sharing links makes the files shared public, anyone that gets a hold of the URL address gets access to the file without a need to authenticate themselves first.
Box.com also allows their corporate customers to create “Vanity” URLs, links to files shared through the service by customizing the URL itself instead of a machine-generated URL. The special subdomain using a Vanity URL can be subjected to a brute-force attack to guess the entire URL. Access to the URL means access to the entire folder structure that the link points to. It was first reported more than 18-months ago by Nenad Zaric, but no one from Box.com took the bug seriously, and it was left open for many months until now.
The attacker only needs to create a simple program that will attempt to guess the folder name structure in succession using a dictionary attack or a brute-force attack, this will reveal files underneath those folders. To mitigate the concern, Box launched a microsite where they give the instructions on how to harden the weak system, lessening the chances of a successful infiltration of box.com storage by unauthorized users.