Awesome Jerry Explains Common Threats in SaaS: Accidental Exposure

Hi there! Jerry again.

By now, you are familiar with our series discussing the most common threats in SaaS applications. Congratulations, you are well on your way to awesome! I already covered malware propagation last time, so in this post, I’ll introduce another fairly common threat: accidental exposure.

SaaS applications are designed to be user friendly, and permissions for sharing are fully under the user’s control. If you wanted to share data with a colleague, you could simply generate a link and paste it into an email, or you could share directly within the application by inputting the intended individual’s email address for access.

As simple and easy as it is to share that intended piece of information with that individual, it is just as simple and easy to accidentally share a confidential piece of information with the wrong person. For example, the email with the shared link could be forwarded around and eventually make its way out of the organization, or you could accidentally click the wrong email address when the application attempts to autocomplete.

What makes accidental exposure even more worrisome is the quick pace at which Google indexes public files from SaaS applications, the ease in which data can be found via Google search, and the continuous monitoring by attackers for mistakenly shared data. SaaS applications enable users to distinguish files as private or public. If a confidential file is accidentally uploaded and marked public, an attacker can uncover this data with a customized Google search for the website on which the file is hosted, the file type and common keywords.

Considering how easy it is to accidentally expose sensitive data, it is important to understand the threats and take measures to protect your applications. I’ll leave you with some reading material and resources to hold you over until my next post where I’ll cover malicious data exfiltration.