Recently, the well-known online data management website BOX.COM was found to have security risks in its file sharing mechanism, which caused some confidential data and files of many companies to be directly retrieved by search engines such as Google and Bing. Markus Neis, the threat intelligence officer who discovered the problem, said that BOX.COM had defects in handling cloud storage accounts, resulting in a simple search engine query that allowed confidential files of companies or individuals to be accessed by anyone. Attackers can use this problem to access the data stored by companies on "cloud collaboration", including data of many large companies such as Dell Technologies Group. It is understood that BOX's corporate network disk is quite famous abroad and has a certain number of users in China. In addition to providing common file storage and synchronization functions, it also provides a "cloud collaboration" function for multiple people to share files and data, and the problem lies in this function. According to Neis' explanation, the "cloud collaboration" function provided by BOX allows users to invite others to share file directories and data under the account. When sharing files, a URL link will be automatically generated. Anyone can access the shared directory through this link. The key problem is that the pages pointed to by these links can be included and retrieved by search engines, which may be exploited by network attackers. Through search engines such as Google and Bing, Neis retrieved tens of thousands of file sharing links for "cloud collaboration" of enterprises, including some sensitive business information marked with words such as "confidential" and "privacy". He said that attackers can use this flaw to access sensitive data stored in "cloud collaboration", which is widely used for collaborative office work between corporate employees and individual users. By default, after this link is generated, visitors will be authorized to view, download, upload, edit and rename. Neis said: After the attacker finds a company's "cloud collaboration" page through a search engine, he can upload malware to the collaboration project, and then invite corporate employees to join or spread it at will based on the email addresses in it to implement phishing. According to the description of an attack method envisioned, BOX.COM believes that these pages that can be retrieved by search engines are actively shared by account holders on third-party websites, and are not leaked, but they also said: We have contacted Google to delete these public indexes, and it is expected to be completely deleted in the short term. In addition, we have reorganized all sharing links to ensure that the public invitation links will not be displayed on Google engines in the future. BOX.COM said that they will continue to evaluate the permission model of shared links to ensure that the function can be used to its full potential while ensuring security. At the same time, they emphasized that the number of shared links exposed to search engines is actually not large. Foreign media Threatpost revealed that it retrieved some files with "confidential" and "private" in their names through search engines, some of which were related data of Dell Technologies' channel partners. Dell wrote in a statement: Some limited amount of information can be seen by "unexpected people" for a short time, but the problem has been resolved. It is reported that Discovery Communications has also been found to have a large number of related documents and video project files, but all links are currently inaccessible. The company has no comment on this. As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity. |
<<: Train ticket scalpers upgrade their technology: 2G broadband + exhaustive verification code
Yesterday (19th) Survey report on sleep status of...
"Content" in a broad sense includes mus...
A complete channel process is off-site channel - ...
Today I will tell you about an economic principle...
When we talk about disability, we often think of ...
The popularity of Douyin is unquestionable, so ho...
With the continuous development of SEO promotion ...
How to make advertisements more attractive and le...
Author: Tang Yicheng When we think of getting old...
A group photo of the young scientific research te...
As the saying goes, "Toothache is not a dise...
Liu Yang Portrait Retouching 2021 Resource Introd...
PPT tutorial video lecture introduction: Course co...
With the push of the official version of iOS 15, ...