Files uploaded to Box are automatically private. However, if someone creates a link to a file on Box, it becomes public. This is the unfortunate fact that employees are now discovering, including those at Apple. Employees may have used Box to send each other files, believing this to be secure or at least in-network only. However, anyone with the link could access those files.
A security firm, Adversis, found they could recreate the links using only a company’s name and some random numbers. With a program, they could try many URLs, eventually finding one that worked. Then they could download and view any secret file from any company that used Box like this.
While Apple may be a secretive company, they’ve got a leak they weren’t expecting.
How to Prevent These Leaks
Preventing leaks like this wouldn’t be difficult. The way to fix it is to give the users the behavior they’re expecting. When someone from a corporate account shares a link, clearly they only want employees who also have corporate accounts to access them.
Basically, there needs to be at least 3 levels of security. First is private, only the uploader can see the file. Then there’s the existing public level, which means anyone with the link. However, Box and other cloud storage companies need a third option: in-network. This means that if an Apple employee uploads something to the corporate Apple Box server, only other Apple employees could ever access it.
Companies could create sub-networks within their company to represent orgs. Say Apple doesn’t want the engineering org to see the documents from Jony Ive’s secret workshop. They can do this with subdirectories to create user access rights. An employee who only has access to Apple/Engineering wouldn’t have access to Apple/ or Apple/Design. It’s an easy solution. People with multiple access rights simply get multiple folders for their uploads, but only people with those rights can access them.
This isn’t rocket science, it’s basic permissions based security, and it’s everywhere, including on whatever device you’re reading this on.
What You Need to Do
You need to remember that when you share something that says “Anyone with a link can view” it really means anyone. Those links may look random to you, but a computer can “guess” a random string of numbers in seconds.
Many companies have already addressed these problems internally. You may have already been warned not to share Box links with coworkers. Still, not all companies are security conscious, and some decide to take risks anyway. But at least you will know how to keep your files safe.
Source: Killian Bell, Cult of Mac