Sensitive Data Stored On Box.com Accounts Accessible Via Search Queries

msm1267 writes: Last week Box.com moved quickly and quietly to block search engines from indexing links to confidential data owned by its users. That is after security researcher Markus Neis surfaced private data belonging to a number of Fortune 500 companies via Google, Bing and other search engines. Box.com said it's a classic case of users accidentally oversharing. Neis isn't convinced and says Box.com's so-called Collaboration links shouldn't have been indexed in the first place. Box.com has since blocked access to what security researchers say was a treasure trove of confidential data and fodder for phishing scams.

Hipchat does this with every file transferred

[SethJohnson]

Using the Atlassian chat client, HipChat, if a user transmits a file to another user, the file is stored on Amazon S3, just like it sounds as Box is doing, and is accessible by an obfuscated URL. The files are then available via any unauthenticated GET requests that can stumble upon the URL string via brute force.

A clever attacker doesn't even need to use her own resources in the brute force attack. A website can be constructed with millions of links pointing at candidate URLs and eventually Google and other indexers will spider them and the ones that don't turn up 404 errors will be added to the web index.