Secret Apple data spilled through public Box links


Store your Pages and GarageBand files anywhere, not just in iCloud Drive.
Are you exposing sensitive data in the cloud?
Photo: Charlie Sorrel/Cult of Mac

Apple is one of a larger number of big companies that has been inadvertently leaking sensitive data through Box, the cloud storage service.

Security researchers found that staff were exposing data by sharing public links to files and documents that can be easily discovered. It’s thought more than 90 companies, including Box itself, are affected.

Apple is one of the most secretive companies in Silicon Valley. It goes to great lengths to prevent its most sensitive information from making its way into the wild, and severely punishes employees who spill sensitive data.

But it turns out that some Apple staffers have been inadvertently making sensitive data public by sharing it through Box.

Beware cloud sharing

Cybersecurity research firm Adversis has warned that major companies are exposing their data by sharing Box links. The links are supposed to be secret, but Adversis says they are easily discoverable by anyone.

“Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders,” reports TechCrunch.

Some of the data found by Adversis includes passport photos, social security and bank account numbers, high-profile technology prototypes and design files, financial data, customer lists, and VPN configurations.

Adversis planned to reach out to every company individually to inform them of its discovery. “But we quickly realized that was impossible at this scale,” it explains. It did alert some companies that had exposed “highly sensitive” data.

’A good chance you are leaking sensitive data’

Box enterprise accounts, like those used by companies, are private by default. But employees can make files and documents public by sharing links to them, and they aren’t aware that those links can be found by others.

Those public folders are even indexed by search engines in some cases, which makes them easier to find. Box has already been in the news recently after sensitive documents saved to Box accounts turned up on Google.

“If your company uses Box, there is a good chance you are leaking sensitive data already and you may want to finish reading this after you disable public file sharing,” Adversis warns.

It’s important to note, however, that this isn’t Box’s fault. It does protect enterprise accounts by default — and advises users on how to minimize the risks of leaking data. It’s up to the user to share files with caution.

Apple has fixed the problem

Even when those users are aware of the risks, it can be difficult to prevent leaks. Box’s own employees exposed a number of company files, including signed non-disclosure agreements with clients, and staff performance reports.

Some Apple data, including logs and regional price lists, did make its way into the wild. More sensitive information, such as product prototype designs and launch plans, was not found in its Box folders.

Adversis first reported the results of its findings to Box last September, and Box followed up with a public service announcement to all its customers days later. Apple and many others have already addressed this problem.