Well-known online disk BOX.COM exposed a vulnerability, file sharing can be searched by search engines

Well-known online disk BOX.COM exposed a vulnerability, file sharing can be searched by search engines
Recently, the well-known online data management website BOX.COM was found to have security risks in its file sharing mechanism, which caused some confidential data and files of many companies to be directly retrieved by search engines such as Google and Bing. Markus Neis, the threat intelligence officer who discovered the problem, said that BOX.COM had defects in handling cloud storage accounts, resulting in a simple search engine query that allowed confidential files of companies or individuals to be accessed by anyone. Attackers can use this problem to access the data stored by companies on "cloud collaboration", including data of many large companies such as Dell Technologies Group. It is understood that BOX's corporate network disk is quite famous abroad and has a certain number of users in China. In addition to providing common file storage and synchronization functions, it also provides a "cloud collaboration" function for multiple people to share files and data, and the problem lies in this function. According to Neis' explanation, the "cloud collaboration" function provided by BOX allows users to invite others to share file directories and data under the account. When sharing files, a URL link will be automatically generated. Anyone can access the shared directory through this link. The key problem is that the pages pointed to by these links can be included and retrieved by search engines, which may be exploited by network attackers. Through search engines such as Google and Bing, Neis retrieved tens of thousands of file sharing links for "cloud collaboration" of enterprises, including some sensitive business information marked with words such as "confidential" and "privacy". He said that attackers can use this flaw to access sensitive data stored in "cloud collaboration", which is widely used for collaborative office work between corporate employees and individual users. By default, after this link is generated, visitors will be authorized to view, download, upload, edit and rename. Neis said: After the attacker finds a company's "cloud collaboration" page through a search engine, he can upload malware to the collaboration project, and then invite corporate employees to join or spread it at will based on the email addresses in it to implement phishing.
According to the description of an attack method envisioned, BOX.COM believes that these pages that can be retrieved by search engines are actively shared by account holders on third-party websites, and are not leaked, but they also said: We have contacted Google to delete these public indexes, and it is expected to be completely deleted in the short term. In addition, we have reorganized all sharing links to ensure that the public invitation links will not be displayed on Google engines in the future. BOX.COM said that they will continue to evaluate the permission model of shared links to ensure that the function can be used to its full potential while ensuring security. At the same time, they emphasized that the number of shared links exposed to search engines is actually not large. Foreign media Threatpost revealed that it retrieved some files with "confidential" and "private" in their names through search engines, some of which were related data of Dell Technologies' channel partners. Dell wrote in a statement: Some limited amount of information can be seen by "unexpected people" for a short time, but the problem has been resolved. It is reported that Discovery Communications has also been found to have a large number of related documents and video project files, but all links are currently inaccessible. The company has no comment on this.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.

<<:  Train ticket scalpers upgrade their technology: 2G broadband + exhaustive verification code

>>:  Hongmeng Intelligent Driving ushers in another OTA upgrade, and the large-model car-mounted Xiaoyi unlocks more voice skills!

Recommend

Can Android One allow Google to take back control of Android?

While iPhone 6 and iPhone 6S have become a hot to...

Pig: Lazy and gluttonous? God knows I have a high IQ.

I am Dong Dong Meow Talking animals are so fun! T...

Brand live streaming sales strategy!

From November 15th to 16th, L'Oreal was on th...

Metformin's miracle reappears: giving primates' organs a "youthful coat"

Metformin can be said to be a star candidate for ...

How Apple Watch can succeed as Android Wear struggles

[[128623]] Given the current slow development tre...

What is the advertising process on iQiyi?

If you have free time, you must watch TV series! ...

Google Maps app update: COVID-19 reminders added to Android and iOS versions

Although the COVID-19 epidemic caused by the new ...

Floating Menu 6.0.7 shortcut software

【Software Description】 The floating menu is a too...

Kidney and leek can nourish the kidney? It's not that easy...

If you were to rank the model workers among your ...