Introduction

Box is a "cloud based content management platform", primarily used to share files and folders. Much like AWS S3 buckets, these files can be shared to anyone with the link, restricted to those within your company (Box Enterprise), or to specific users.

Companies using Box Enterprise get their own sub-domain, and documents saved on Box can be shared to anyone with the unique URL. Users can also name the shared link to whatever they choose. Unfortunately, the sub-domain, URL, and folder names are easily brute-forceable. You can see where this is going.

What We Found

After identifying thousands of Box customer sub-domains through standard intelligence gathering techniques and using a relatively large wordlist, we discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers.

A sampling of data we found: