Well-known online disk BOX.COM exposed a vulnerability, file sharing can be searched by search engines

Recently, the well-known online data management website BOX.COM was found to have security risks in its file sharing mechanism, which caused some confidential data and files of many companies to be directly retrieved by search engines such as Google and Bing. Markus Neis, the threat intelligence officer who discovered the problem, said that BOX.COM had defects in handling cloud storage accounts, resulting in a simple search engine query that allowed confidential files of companies or individuals to be accessed by anyone. Attackers can use this problem to access the data stored by companies on "cloud collaboration", including data of many large companies such as Dell Technologies Group. It is understood that BOX's corporate network disk is quite famous abroad and has a certain number of users in China. In addition to providing common file storage and synchronization functions, it also provides a "cloud collaboration" function for multiple people to share files and data, and the problem lies in this function. According to Neis' explanation, the "cloud collaboration" function provided by BOX allows users to invite others to share file directories and data under the account. When sharing files, a URL link will be automatically generated. Anyone can access the shared directory through this link. The key problem is that the pages pointed to by these links can be included and retrieved by search engines, which may be exploited by network attackers. Through search engines such as Google and Bing, Neis retrieved tens of thousands of file sharing links for "cloud collaboration" of enterprises, including some sensitive business information marked with words such as "confidential" and "privacy". He said that attackers can use this flaw to access sensitive data stored in "cloud collaboration", which is widely used for collaborative office work between corporate employees and individual users. By default, after this link is generated, visitors will be authorized to view, download, upload, edit and rename. Neis said: After the attacker finds a company's "cloud collaboration" page through a search engine, he can upload malware to the collaboration project, and then invite corporate employees to join or spread it at will based on the email addresses in it to implement phishing.
According to the description of an attack method envisioned, BOX.COM believes that these pages that can be retrieved by search engines are actively shared by account holders on third-party websites, and are not leaked, but they also said: We have contacted Google to delete these public indexes, and it is expected to be completely deleted in the short term. In addition, we have reorganized all sharing links to ensure that the public invitation links will not be displayed on Google engines in the future. BOX.COM said that they will continue to evaluate the permission model of shared links to ensure that the function can be used to its full potential while ensuring security. At the same time, they emphasized that the number of shared links exposed to search engines is actually not large. Foreign media Threatpost revealed that it retrieved some files with "confidential" and "private" in their names through search engines, some of which were related data of Dell Technologies' channel partners. Dell wrote in a statement: Some limited amount of information can be seen by "unexpected people" for a short time, but the problem has been resolved. It is reported that Discovery Communications has also been found to have a large number of related documents and video project files, but all links are currently inaccessible. The company has no comment on this.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.

<<: Train ticket scalpers upgrade their technology: 2G broadband + exhaustive verification code

>>: Hongmeng Intelligent Driving ushers in another OTA upgrade, and the large-model car-mounted Xiaoyi unlocks more voice skills!

More than 60% of consumers have misunderstandings about these 4 issues regarding food additives!

Well-known online disk BOX.COM exposed a vulnerability, file sharing can be searched by search engines

More than 60% of consumers have misunderstandings about these 4 issues regarding food additives!

The fabric as thin as a cicada's wing is actually a "silencer"!

An inventory and analysis of mainstream promotion channels, teaching you how to spend 10 million promotion fees

Apple's reduction in supply of high-end models means an opportunity for domestic brands to enter the high-end market?

Asia Winter Science Popularization Issue 8丨“Hard-core” technology equipment blessing, ice and snow sports double the fun

How to make scrolling subtitles for Tik Tok short videos? Specific operation steps diagram

Gail van der, who foresaw a story that had not yet ended

How can business services achieve positive growth in search promotion effects? Optimization ideas reference

Dong Zhuo, who was unable to be dealt with by the eighteen princes, was dealt with by an internet celebrity?

Another fitness move is going viral! A man's hemorrhoids ruptured after trying it! Doctor: Not suitable for everyone...

Recommend

Chinese office workers sleep an average of 7.5 hours a day! How to sleep more healthily?

How to do content operation? It’s all here!

Chinese Doctors’ Day | Today, say “thank you” to them!

How to analyze the effectiveness of promotion channels?

Economy in physics: What is the principle of least action?

National Disability Prevention Day | Everyone needs to know about disability!

Tik Tok operation plan and strategy skills

Wenzhou SEO Training: What is the impact of website title modification on keyword optimization ranking?

Interpretation of Meituan’s latest advertisement

【Creative Cultivation Program】The older you get, the happier you are? What are our misunderstandings about “old people”?

Using 1 gram of lunar soil to find the "secret" of helium-3 extraction

Is the oral irrigator useful? Is it just a waste of money?

Liu Yang portrait 2021

"PPT Animation All-round Training Video" from Novice to Expert, practical teaching

Check out those old iPhone models that don’t support the new features of iOS 15. Don’t update blindly