Avoid Misconfiguration of Public Custom Shared Links in the Cloud

By on Mar 21, 2019

By now, you may have heard that security researchers uncovered ways by which someone could gain unintended access to public, custom shared links in Box, the popular cloud content management service. These were not the typical alpha-numeric shared URLs you might be familiar with, featuring inherent obfuscation with 32 alphanumeric characters i.e.:


Instead, companies who enabled the user-defined custom shared link feature left data open under public URLs such as:


This allowed researchers to conduct a search for URLs with company names + folder names such as “press-releases”, essentially guessing the public URLs. Of course, some documents are intended to be public. But when public sharing of sensitive data occurs in this manner, we consider it a “misconfiguration”, as did the researchers.


Download BOX Datasheet

Download the McAfee MVISION Cloud for Box datasheet for a complete list of product capabilities.

Download Now

Box recommends (and we strongly agree) that sensitive data should never be shared via public links, especially those with custom URLs which can be discovered more easily than alphanumeric strings. Box administrators can easily turn off the public custom URL feature if they feel it is being misused in their organization:



Enabling Secure Collaboration Across All Cloud Services

For Box and at a global-level across all cloud services, visibility and control over sensitive data is a critical element of enterprise security posture. With MVISION Cloud, our Cloud Access Security Broker (CASB) solution, you can enact collaboration controls that incorporate data classification and sharing together, giving you the ability to prevent sensitive data from ever seeing a public custom URL, or any publicly shared link. That acts in real-time, and for any links already created, sharing rights can be revoked retroactively.

The result of this policy action would appear as an incident for you to review and investigate. In an example here, a user has attempted to create a public shared link for data classified as “Confidential”. Immediately, the action is blocked and an incident created, showing the user, document, and content match:


Additionally, the response action to remove the shared setting and resolve the incident:


By policy, you can decide where your sensitive data in the cloud goes. For example, “internal-only” data can be shared to internal collaborators, but not externally.

That’s just one way you can protect your data in Box. Additionally, you can:

  • Limit download/sync to unmanaged devices, gaining total control over user access to Box by enforcing context-specific policies limiting end-user actions.
  • Perform forensic investigations with full context, capturing a complete audit trail of all user activity enriched with threat intelligence to facilitate post-incident forensic investigations.
  • Detect and correct user threats and malware, detecting threats from compromised accounts, insider threats, privileged access misuse, and malware infection.

Our goal is to make cloud services like Box the most secure environment for your organization to collaborate and conduct business. With enhanced visibility and control over your data in the cloud, Box and beyond, you can more confidently and consistently enable cloud services and accelerate your business.

Learn more about securing your data in Box: 

MVISION Cloud for Box Datasheet

13 Box Security Best Practices Blog

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs