At Box, we take the security of our customers' data seriously, and wanted to update customers on best practices when using Box's "Custom URL" sharing feature. Recently, an article was published by a researcher on potential ways that unintended parties could access public/open Custom URLs by guessing the words that users created for these web addresses.
This is not a security vulnerability. Custom URLs are a very small percentage of all shared links created, and are intended to be used for sharing content publicly. However, it's important to ensure users are using this feature in the right way, and there are important details you should know when using Custom URLs, as well improvements we're making to ensure better usability and protections when using this feature.
Custom Shared Links are different from a default secure Box shared link
As with other cloud sharing platforms, if you want to share files or folders securely, Box generates a secured shared link that can be used to share with people either inside or outside your company. Box shared links are assigned a URL based on 32 randomly generated alphanumeric characters, and we provide a variety of security controls our users can choose based on the sensitivity of the content they are sharing. Additionally, users and enterprises can enable additional security controls on these links, such as password-protection and expiration policies to automatically un-share content at a user-designated point in time.
As an optional feature, enterprises can enable or disable the generation of "Custom URLs" for shared links. This is a means of changing the default generated secure shared link to an easily discoverable, user-defined web address. This feature is intended to be used only for content that users are looking to make easily accessible using a customized web address. For instance: if you're a car company distributing public press releases for a product launch or a media agency sharing a portfolio of content, custom shared links make it easy to publish content on the web.
Here is an example of what both link types might looks like:
- Default Secure Box Shared Link: "company.box.com/s/m6nd910dla913ydsd01akd1hdfasljkn"
- User-defined Custom Shared Link: “company.box.com/v/press-releases”
Custom Shared Links are intended for sharing non-sensitive, public content with a broad group or internal content companywide. As such, it is important to understand that the combination of an easily discoverable url and public/open link settings makes it easier for external parties to find these URLs. Because of this, we do not recommend putting any sensitive or private information into the files or folders with Custom URLs set to "public/open" permissions. Please Note: If your organization has no reason to share content publicly, we recommend admins turn off this feature (see how below).
Improvements we're making to Custom Shared Links for your Security
To give IT admins more control over how Custom Shared URLs are used (or not), and for better usability for end-users, we're making changes to further improve end-user education and controls around safe ways to use Custom URLs:
- Increasing the minimum number of characters for a Custom URL: While Custom URLs are only intended for non-sensitive content, to reduce unintended access we've increased the number of required characters for creating *new* custom URLs to 12 characters or more
- Better user education around Custom URLs: We’ve added a dialog in the link settings tool that advises users that no sensitive content should ever be shared with the Custom URL level of permission
- Making it easier for admins to turn off the Custom URL feature capability: We've made it simple to disable custom URLs in your Box instance. Just visit the “Content & Sharing” tab “Enterprise Settings” section of the Box Admin Console to turn off this feature if you don't want users creating Custom URLs for content. After this change, users will only have the ability to use Box-generated secure links, or invite users or groups to folders directly.
Stay tuned. We will continue to make improvements to Box's core security features, usability, and admin controls to ensure your content is always protected and controlled. For more information about shared links on Box and Admin tools available to you, please see these posts on the Box Community:
About Open Shared Links and Custom URLs
About Admin settings for shared links
About Secure Shared Links