Well-known online disk BOX.COM exposed a vulnerability, file sharing can be searched by search engines

Well-known online disk BOX.COM exposed a vulnerability, file sharing can be searched by search engines
Recently, the well-known online data management website BOX.COM was found to have security risks in its file sharing mechanism, which caused some confidential data and files of many companies to be directly retrieved by search engines such as Google and Bing. Markus Neis, the threat intelligence officer who discovered the problem, said that BOX.COM had defects in handling cloud storage accounts, resulting in a simple search engine query that allowed confidential files of companies or individuals to be accessed by anyone. Attackers can use this problem to access the data stored by companies on "cloud collaboration", including data of many large companies such as Dell Technologies Group. It is understood that BOX's corporate network disk is quite famous abroad and has a certain number of users in China. In addition to providing common file storage and synchronization functions, it also provides a "cloud collaboration" function for multiple people to share files and data, and the problem lies in this function. According to Neis' explanation, the "cloud collaboration" function provided by BOX allows users to invite others to share file directories and data under the account. When sharing files, a URL link will be automatically generated. Anyone can access the shared directory through this link. The key problem is that the pages pointed to by these links can be included and retrieved by search engines, which may be exploited by network attackers. Through search engines such as Google and Bing, Neis retrieved tens of thousands of file sharing links for "cloud collaboration" of enterprises, including some sensitive business information marked with words such as "confidential" and "privacy". He said that attackers can use this flaw to access sensitive data stored in "cloud collaboration", which is widely used for collaborative office work between corporate employees and individual users. By default, after this link is generated, visitors will be authorized to view, download, upload, edit and rename. Neis said: After the attacker finds a company's "cloud collaboration" page through a search engine, he can upload malware to the collaboration project, and then invite corporate employees to join or spread it at will based on the email addresses in it to implement phishing.
According to the description of an attack method envisioned, BOX.COM believes that these pages that can be retrieved by search engines are actively shared by account holders on third-party websites, and are not leaked, but they also said: We have contacted Google to delete these public indexes, and it is expected to be completely deleted in the short term. In addition, we have reorganized all sharing links to ensure that the public invitation links will not be displayed on Google engines in the future. BOX.COM said that they will continue to evaluate the permission model of shared links to ensure that the function can be used to its full potential while ensuring security. At the same time, they emphasized that the number of shared links exposed to search engines is actually not large. Foreign media Threatpost revealed that it retrieved some files with "confidential" and "private" in their names through search engines, some of which were related data of Dell Technologies' channel partners. Dell wrote in a statement: Some limited amount of information can be seen by "unexpected people" for a short time, but the problem has been resolved. It is reported that Discovery Communications has also been found to have a large number of related documents and video project files, but all links are currently inaccessible. The company has no comment on this.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.

<<:  Train ticket scalpers upgrade their technology: 2G broadband + exhaustive verification code

>>:  Hongmeng Intelligent Driving ushers in another OTA upgrade, and the large-model car-mounted Xiaoyi unlocks more voice skills!

Recommend

How to do content operation? It’s all here!

"Content" in a broad sense includes mus...

How to analyze the effectiveness of promotion channels?

A complete channel process is off-site channel - ...

Economy in physics: What is the principle of least action?

Today I will tell you about an economic principle...

National Disability Prevention Day | Everyone needs to know about disability!

When we talk about disability, we often think of ...

Tik Tok operation plan and strategy skills

The popularity of Douyin is unquestionable, so ho...

Interpretation of Meituan’s latest advertisement

How to make advertisements more attractive and le...

Using 1 gram of lunar soil to find the "secret" of helium-3 extraction

A group photo of the young scientific research te...

Is the oral irrigator useful? Is it just a waste of money?

As the saying goes, "Toothache is not a dise...

Liu Yang portrait 2021

Liu Yang Portrait Retouching 2021 Resource Introd...