Sensitive Data Stored On Box.com Accounts Accessible Via Search Queries (threatpost.com) 29
msm1267 writes: Last week Box.com moved quickly and quietly to block search engines from indexing links to confidential data owned by its users. That is after security researcher Markus Neis surfaced private data belonging to a number of Fortune 500 companies via Google, Bing and other search engines. Box.com said it's a classic case of users accidentally oversharing. Neis isn't convinced and says Box.com's so-called Collaboration links shouldn't have been indexed in the first place. Box.com has since blocked access to what security researchers say was a treasure trove of confidential data and fodder for phishing scams.
This is why "the cloud" is stupid (Score:5, Insightful)
Don't let someone else have custody of your data.
People are so stupid.
Re: This is why "the cloud" is stupid (Score:1)
But they said it was in a box, not a cloud. I'm confused.
Re: (Score:2)
Re: (Score:2)
My former security workplace used box.com. :(
Re: (Score:1)
Do any archives have copies? (Score:2)
I'd like to look through the data. For science, yeah, that's the ticket...
What is shared should be indexed (Score:1)
I'm with box.com on this. If users overshare their links, why should it be box.com or the search engines' responsibility to know that the information is confidential and prevent indexing? Why do the idiots who overshare get preferential treatment over people who willingly want their information to be public and deliberately post links in places where search engines will index them so the content can be found?
Re:What is shared should be indexed (Score:5, Insightful)
Box should just have used a robots.txt and disallowed /* everything by default. It's not that hard [robotsgenerator.com].
It's a given that users, whether they know it or not, are going to leak private urls to search engines. The Alexa toolbar, the Google toolbar, the Microsoft browser, etc., they all leak that kind of information. This is not a new problem. This is why the robots.txt file is there (not to inform hackers of the exact links they must not index, but to inform search engines that if they find themselves on a particular domain, or in a particular directory, that they should not index any file/folder below that level).
Re: (Score:2)
It's a problem if search engines are indexing private URLs based on toolbar usage.
The toolbar example is but one example I chose. There are others that are even more subtle.
That is not box.com's problem though, it is Google, Microsoft and other search engine providers'. They should be limiting their indexing to publically reachable URLs.
Great! Teach corporations morality, or create new laws and pass them internationally. Either way, I'll be waiting, so get back to me when you're done.
In the meantime, if your company is using box.com, you should probably consider switching provider. If geocities is still around, I'd recommend that service instead as a way to share documents online. The geocities I remember is nearly as secure as Box.com, but only come
Wish I had mod points (Score:2)
So true, I have a robots to minimize indexing some old stuff, nearly everyone ignores it and indexes away. If it is on the web, somebody is going to find it.
Re: (Score:2)
It's not too effective anymore because lots of spiders give zero fucks about the robots file. BaiDu.cn and Yandex.ru will slurp up everything they can, no matter what your robots file says.
I know, but I'm just responding to the article at hand which says:
a researcher found confidential documents and data belonging to Box.com users via Google, Bing and other search engines.
This means that Box.com didn't even take the most basic precaution they could have taken.
Re: (Score:1)
While robots.txt allows companies to address the problem of having URLs like these indexed in search engines, it does not prevent rogue indexing services from doing so. Take Baidu, for example. I've seen how they disregard the robots.txt, which means URLs like these might very well leak and get indexed through an incredible amount of different channels; browser addons, email scanning, URL shorteners etc.
Sharing using "secret links" is highly insecure and should not be possible if the information behind it i
Re: (Score:2)
Digest access authentication would have stopped it cold, a lot of spiders use the robots.txt as a hint to where the good stuff might be.
Hmmm (Score:2)
Box.com said it's a classic case of users accidentally oversharing.
Next time you feel trepidation about oversharing, remember, someone once said in a meeting, "Let's make a film with a tornado full of sharks."
How did Box prevent indexing? (Score:1)
TFA was lacking on technical details and I don't see any information about what Box has done to prevent these URLs from being indexed in the future. If they just tweaked their robots.txt or something, that isn't going to cut it. People who use Chrome will still be leaking these URLs directly to Google, which in turn will still index them. See here [google.com] (search for "Chrome sends" for just a taste of what the Chrome spyware transmits back to its mother ship).
Hipchat does this with every file transferred (Score:5, Interesting)
A clever attacker doesn't even need to use her own resources in the brute force attack. A website can be constructed with millions of links pointing at candidate URLs and eventually Google and other indexers will spider them and the ones that don't turn up 404 errors will be added to the web index.
WTF is Box? (Score:2)