The confidential files of online file sharing and content management provider Box.com were found via Google, Bing, and other search engines after a flaw was identified. The flaw lies in the invite URL generated for participants to access or collaborate with a cloud storage account. The invite URL directs participants to a landing page that is typically indexed by search engines. As a result, attackers are able to access sensitive data stored on collaborative accounts using a simple search engine query. They are also able to upload malware to a collaborative project, and attach malicious attachments in emails sent to participating employees.
Box.com Plugs Account Data Leakage Flaw