Well-known online disk BOX.COM exposed a vulnerability, file sharing can be searched by search engines

Recently, the well-known online data management website BOX.COM was found to have security risks in its file sharing mechanism, which caused some confidential data and files of many companies to be directly retrieved by search engines such as Google and Bing. Markus Neis, the threat intelligence officer who discovered the problem, said that BOX.COM had defects in handling cloud storage accounts, resulting in a simple search engine query that allowed confidential files of companies or individuals to be accessed by anyone. Attackers can use this problem to access the data stored by companies on "cloud collaboration", including data of many large companies such as Dell Technologies Group. It is understood that BOX's corporate network disk is quite famous abroad and has a certain number of users in China. In addition to providing common file storage and synchronization functions, it also provides a "cloud collaboration" function for multiple people to share files and data, and the problem lies in this function. According to Neis' explanation, the "cloud collaboration" function provided by BOX allows users to invite others to share file directories and data under the account. When sharing files, a URL link will be automatically generated. Anyone can access the shared directory through this link. The key problem is that the pages pointed to by these links can be included and retrieved by search engines, which may be exploited by network attackers. Through search engines such as Google and Bing, Neis retrieved tens of thousands of file sharing links for "cloud collaboration" of enterprises, including some sensitive business information marked with words such as "confidential" and "privacy". He said that attackers can use this flaw to access sensitive data stored in "cloud collaboration", which is widely used for collaborative office work between corporate employees and individual users. By default, after this link is generated, visitors will be authorized to view, download, upload, edit and rename. Neis said: After the attacker finds a company's "cloud collaboration" page through a search engine, he can upload malware to the collaboration project, and then invite corporate employees to join or spread it at will based on the email addresses in it to implement phishing.
According to the description of an attack method envisioned, BOX.COM believes that these pages that can be retrieved by search engines are actively shared by account holders on third-party websites, and are not leaked, but they also said: We have contacted Google to delete these public indexes, and it is expected to be completely deleted in the short term. In addition, we have reorganized all sharing links to ensure that the public invitation links will not be displayed on Google engines in the future. BOX.COM said that they will continue to evaluate the permission model of shared links to ensure that the function can be used to its full potential while ensuring security. At the same time, they emphasized that the number of shared links exposed to search engines is actually not large. Foreign media Threatpost revealed that it retrieved some files with "confidential" and "private" in their names through search engines, some of which were related data of Dell Technologies' channel partners. Dell wrote in a statement: Some limited amount of information can be seen by "unexpected people" for a short time, but the problem has been resolved. It is reported that Discovery Communications has also been found to have a large number of related documents and video project files, but all links are currently inaccessible. The company has no comment on this.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.

<<: Train ticket scalpers upgrade their technology: 2G broadband + exhaustive verification code

>>: Hongmeng Intelligent Driving ushers in another OTA upgrade, and the large-model car-mounted Xiaoyi unlocks more voice skills!

IDC: China's artificial intelligence software and application market size will reach US$5.28 billion in 2021

Blog

In-depth analysis of information flow delivery, the key method to rapidly increase ROI

Blog

Inventory and introduction of the top ten experiences of new club consumption reservations in Kunming Tea Drinking Forum in 2022

Blog

Boycott or adopt? What should video websites do with barrage culture?

Zhiji LS7 low-frequency resonance was collectively complained by the owner: I got otitis media after driving for eight months

According to the third-party complaint platform C...

Well-known online disk BOX.COM exposed a vulnerability, file sharing can be searched by search engines

IDC: China's artificial intelligence software and application market size will reach US$5.28 billion in 2021

In-depth analysis of information flow delivery, the key method to rapidly increase ROI

Inventory and introduction of the top ten experiences of new club consumption reservations in Kunming Tea Drinking Forum in 2022

Boycott or adopt? What should video websites do with barrage culture?

Are animal organs a health killer? Not necessarily, these 5 types are worth eating!

If you have shoulder pain, don't always blame it on frozen shoulder! If this happens, be alert.

New regulations on the payment of one-child allowance in 2020: how much is it per year?

In the live streaming melee, will the five major camps of YY, Yingke, Momo, KK and Douyu be formed soon?

Cook uses "chips" to climb the ladder after 7 years, and dual SIM dual standby is just a stepping stone

Case Study: 6 Methods of Growth Hacking

Recommend

Can Android One allow Google to take back control of Android?

Pig: Lazy and gluttonous? God knows I have a high IQ.

New breakthrough! Chinese scientists develop the world's first brain-like complementary vision chip →

Zhiji LS7 low-frequency resonance was collectively complained by the owner: I got otitis media after driving for eight months

Brand live streaming sales strategy!

Metformin's miracle reappears: giving primates' organs a "youthful coat"

Uncovering the secrets behind the "double championship" of "The Rap of China", how much did iQiyi "win"?

Does the click-through rate of Baidu's bidding account have any impact on the promotion plan?

Whether your account performance can achieve high conversion depends on these 3 points!

How Apple Watch can succeed as Android Wear struggles

Fish, shrimp, crab, milk, vinegar, sweet potato... Why does persimmon have so many "enemies"?

What is the advertising process on iQiyi?

Google Maps app update: COVID-19 reminders added to Android and iOS versions

Floating Menu 6.0.7 shortcut software

Kidney and leek can nourish the kidney? It's not that easy...