Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sensitive Data Stored On Box.com Accounts Accessible Via Search Queries (threatpost.com)

Posted by BeauHD on from the out-in-the-open dept.

msm1267 writes: Last week Box.com moved quickly and quietly to block search engines from indexing links to confidential data owned by its users. That is after security researcher Markus Neis surfaced private data belonging to a number of Fortune 500 companies via Google, Bing and other search engines. Box.com said it's a classic case of users accidentally oversharing. Neis isn't convinced and says Box.com's so-called Collaboration links shouldn't have been indexed in the first place. Box.com has since blocked access to what security researchers say was a treasure trove of confidential data and fodder for phishing scams.

3 of 29 comments (clear)

  1. This is why "the cloud" is stupid by Anonymous Coward · · Score: 5, Insightful

    Don't let someone else have custody of your data.

    People are so stupid.

  2. Hipchat does this with every file transferred by SethJohnson · · Score: 5, Interesting

    Using the Atlassian chat client, HipChat, if a user transmits a file to another user, the file is stored on Amazon S3, just like it sounds as Box is doing, and is accessible by an obfuscated URL. The files are then available via any unauthenticated GET requests that can stumble upon the URL string via brute force.

    A clever attacker doesn't even need to use her own resources in the brute force attack. A website can be constructed with millions of links pointing at candidate URLs and eventually Google and other indexers will spider them and the ones that don't turn up 404 errors will be added to the web index.

    --
    $5 / month hosted VPS on linux = awesome!
  3. Re:What is shared should be indexed by stephanruby · · Score: 4, Insightful

    Box should just have used a robots.txt and disallowed /* everything by default. It's not that hard.

    It's a given that users, whether they know it or not, are going to leak private urls to search engines. The Alexa toolbar, the Google toolbar, the Microsoft browser, etc., they all leak that kind of information. This is not a new problem. This is why the robots.txt file is there (not to inform hackers of the exact links they must not index, but to inform search engines that if they find themselves on a particular domain, or in a particular directory, that they should not index any file/folder below that level).