Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sensitive Data Stored On Box.com Accounts Accessible Via Search Queries (threatpost.com)

Posted by BeauHD on from the out-in-the-open dept.

msm1267 writes: Last week Box.com moved quickly and quietly to block search engines from indexing links to confidential data owned by its users. That is after security researcher Markus Neis surfaced private data belonging to a number of Fortune 500 companies via Google, Bing and other search engines. Box.com said it's a classic case of users accidentally oversharing. Neis isn't convinced and says Box.com's so-called Collaboration links shouldn't have been indexed in the first place. Box.com has since blocked access to what security researchers say was a treasure trove of confidential data and fodder for phishing scams.

29 comments

  1. This is why "the cloud" is stupid by Anonymous Coward · · Score: 5, Insightful

    Don't let someone else have custody of your data.

    People are so stupid.

    1. Re: This is why "the cloud" is stupid by Anonymous Coward · · Score: 1

      But they said it was in a box, not a cloud. I'm confused.

    2. Re: This is why "the cloud" is stupid by Anonymous Coward · · Score: 0

      Should have said vault. Or perhaps an azure vault, yeah!

    3. Re:This is why "the cloud" is stupid by edtice1559 · · Score: 1

      Don't let a bank have custody of your money. Keep it safe under your mattress. For all but the security professionals, cloud storage is the most secure option available. Some super rich people keep bars of gold in their homes but for everybody else a bank account is the right place to store money.

    4. Re:This is why "the cloud" is stupid by antdude · · Score: 1

      My former security workplace used box.com. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    5. Re:This is why "the cloud" is stupid by fbobraga · · Score: 1

      Brazil there was some legislation (abrogated by current administration, who's product of a coup...) trying to avoid the use of "clouds" hosted on other countries (where Brazilian legal jurisdiction can't reach)...

  2. Do any archives have copies? by HornWumpus · · Score: 1

    I'd like to look through the data. For science, yeah, that's the ticket...

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  3. Beware by Anonymous Coward · · Score: 0

    Donald's coming to finger your box.

  4. What is shared should be indexed by Anonymous Coward · · Score: 1

    I'm with box.com on this. If users overshare their links, why should it be box.com or the search engines' responsibility to know that the information is confidential and prevent indexing? Why do the idiots who overshare get preferential treatment over people who willingly want their information to be public and deliberately post links in places where search engines will index them so the content can be found?

    1. Re:What is shared should be indexed by stephanruby · · Score: 4, Insightful

      Box should just have used a robots.txt and disallowed /* everything by default. It's not that hard.

      It's a given that users, whether they know it or not, are going to leak private urls to search engines. The Alexa toolbar, the Google toolbar, the Microsoft browser, etc., they all leak that kind of information. This is not a new problem. This is why the robots.txt file is there (not to inform hackers of the exact links they must not index, but to inform search engines that if they find themselves on a particular domain, or in a particular directory, that they should not index any file/folder below that level).

    2. Re:What is shared should be indexed by Anonymous Coward · · Score: 0

      It's a problem if search engines are indexing private URLs based on toolbar usage. That is not box.com's problem though, it is Google, Microsoft and other search engine providers'. They should be limiting their indexing to publically reachable URLs.

    3. Re:What is shared should be indexed by Anonymous Coward · · Score: 0

      It's not too effective anymore because lots of spiders give zero fucks about the robots file. BaiDu.cn and Yandex.ru will slurp up everything they can, no matter what your robots file says.

    4. Re:What is shared should be indexed by stephanruby · · Score: 1

      It's not too effective anymore because lots of spiders give zero fucks about the robots file. BaiDu.cn and Yandex.ru will slurp up everything they can, no matter what your robots file says.

      I know, but I'm just responding to the article at hand which says:

      a researcher found confidential documents and data belonging to Box.com users via Google, Bing and other search engines.

      This means that Box.com didn't even take the most basic precaution they could have taken.

    5. Re:What is shared should be indexed by stephanruby · · Score: 1

      It's a problem if search engines are indexing private URLs based on toolbar usage.

      The toolbar example is but one example I chose. There are others that are even more subtle.

      That is not box.com's problem though, it is Google, Microsoft and other search engine providers'. They should be limiting their indexing to publically reachable URLs.

      Great! Teach corporations morality, or create new laws and pass them internationally. Either way, I'll be waiting, so get back to me when you're done.

      In the meantime, if your company is using box.com, you should probably consider switching provider. If geocities is still around, I'd recommend that service instead as a way to share documents online. The geocities I remember is nearly as secure as Box.com, but only comes at a fraction of the price of Box.com.

    6. Re:What is shared should be indexed by Anonymous Coward · · Score: 1

      While robots.txt allows companies to address the problem of having URLs like these indexed in search engines, it does not prevent rogue indexing services from doing so. Take Baidu, for example. I've seen how they disregard the robots.txt, which means URLs like these might very well leak and get indexed through an incredible amount of different channels; browser addons, email scanning, URL shorteners etc.

      Sharing using "secret links" is highly insecure and should not be possible if the information behind it is not meant to become public one way or another.

    7. Re:What is shared should be indexed by budgenator · · Score: 1

      Digest access authentication would have stopped it cold, a lot of spiders use the robots.txt as a hint to where the good stuff might be.

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
  5. Hmmm by rmdingler · · Score: 1

    Box.com said it's a classic case of users accidentally oversharing.

    Next time you feel trepidation about oversharing, remember, someone once said in a meeting, "Let's make a film with a tornado full of sharks."

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Hmmm by Anonymous Coward · · Score: 0

      Box.com said it's a classic case of users accidentally oversharing.

      Next time you feel trepidation about oversharing, remember, someone once said in a meeting, "Let's make a film with a tornado full of sharks."

      They made 6 films about a tornado full of sharks. https://en.wikipedia.org/wiki/Sharknado_(film_series)

  6. How did Box prevent indexing? by Anonymous Coward · · Score: 1

    TFA was lacking on technical details and I don't see any information about what Box has done to prevent these URLs from being indexed in the future. If they just tweaked their robots.txt or something, that isn't going to cut it. People who use Chrome will still be leaking these URLs directly to Google, which in turn will still index them. See here (search for "Chrome sends" for just a taste of what the Chrome spyware transmits back to its mother ship).

  7. Hipchat does this with every file transferred by SethJohnson · · Score: 5, Interesting

    Using the Atlassian chat client, HipChat, if a user transmits a file to another user, the file is stored on Amazon S3, just like it sounds as Box is doing, and is accessible by an obfuscated URL. The files are then available via any unauthenticated GET requests that can stumble upon the URL string via brute force.

    A clever attacker doesn't even need to use her own resources in the brute force attack. A website can be constructed with millions of links pointing at candidate URLs and eventually Google and other indexers will spider them and the ones that don't turn up 404 errors will be added to the web index.

    --
    $5 / month hosted VPS on linux = awesome!
    1. Re: Hipchat does this with every file transferred by Anonymous Coward · · Score: 0

      attacker doesn't even need to use her own resources in the brute force attack

      Her? Females use social manipulation, not brute force.

    2. Re:Hipchat does this with every file transferred by Anonymous Coward · · Score: 0

      Using the Atlassian chat client, HipChat,

      That's your first problem right there, and don't even get me started on Jira.

  8. WTF is Box? by RightwingNutjob · · Score: 1

    And what do they do besides charging money for something you can do for free with a terminal, poorly?

    1. Re:WTF is Box? by Anonymous Coward · · Score: 0

      "B-but, it's got what plants crave."

    2. Re: WTF is Box? by Anonymous Coward · · Score: 0

      What is wrong with his mother's vagina if it is box shaped? How did a round head fit through that....

  9. Wish I had mod points by stabiesoft · · Score: 1

    So true, I have a robots to minimize indexing some old stuff, nearly everyone ignores it and indexes away. If it is on the web, somebody is going to find it.

  10. Re:SJW angle by Anonymous Coward · · Score: 0

    I know your little dick gets hard when you think about men in women's clothing, that's OK. You can try dealing with your inner turmoil not with hate and malevolence, but kindness and understanding toward those that give you those strange feelings.

    As a fighter for justice in society, no matter the race, gender, sexual orientation or political leaning, I empathise with your plight. Perhaps go and have a little wank, whist thinking about those sexy little Asian boys with the tight female bodies. It shouldn't take you long. I guarantee by the time you're finished, you'll feel a whole lot better.