NYU Box & Google Privacy Alert

Leila Sharma

The NYU IT Office of Information Security was recently made aware of a privacy issue relating to shared documents/folders in NYU Box. Please note that this NYU Box privacy issue has been corrected, but it may take some time for Google’s cached search results to update and for the correction to be reflected.

The issue: If documents or folders in NYU Box are shared using the sharing setting “People with the link”, and that link was listed on a publicly-available webpage, it could have been indexed by Google. In this instance, the link could have been retrieved by anyone performing a Google search. For example, the Share option in NYU Box shows the link to be shared, and shows the applied share setting for the link as follows:

Screenshot showing the Shared Link screen in NYU Box with the Shared Link displaying at the top of the screen and the document access type pick list expanded. The option "People with the link" is encircled in red. Other options include "People in your company", "People in this folder", and "Remove Link".

If a user selected People with the link as the share setting, the document/folder would have contained the above-mentioned privacy vulnerability.

Similarly, please be aware of the following, if a Google Apps documents is shared with others via a shareable link, in conjunction with the link sharing setting “ On – Anyone with the link”, this link could be retrieved and the document could be accessed by anyone. 

For example the File, Share option in Google Apps shows the option to obtain a shareable link along with the following default settings.

Screenshot showing the "Get a shareable link" option in Google Apps. The option is encircled in red at the top right of the screen. The default setting of "Anyone at New York University with the lik can view" is displaying.

If a user chooses the Get a shareable link option (above) and then selects the On – Anyone with the link option (accessible via the drop-down arrow to the right of Anyone at New York University with the link can view), the document will contain the above-mentioned privacy vulnerability.

Screenshot of Link sharing options withe the option "On-Anyone with the link" encircled in red. Other options include "On -Public on the web", "On - New York University", "On - Anyone at New York University with the linl', and "Off - Specific people"

Please be reminded that the “On – Anyone with the link” sharing option is not the default, so in order to be impacted, you have to have made the changes detailed herein.

For more detailed information on the Box vulnerability, please see: https://threatpost.com/box-com-plugs-account-data-leakage-flaw/122810/

Additionally, although there is no simple way to check if your NYU Box documents/folders have been overshared, you can always modify share settings if necessary. On the Google Drive side, please be advised of the Drive-Eye add-on which is a tool to help identify Google files stored in your NYU Drive that have been broadly shared with the NYU community and beyond.  Once files have been identified by Drive-Eye, you can open the document(s) from the report and change sharing settings if necessary.  For more information, please see the following NYU Knowledge Base article: NYU Drive: Finding and securing shared files.