Box App Security: Legal Checks

TL;DR

Reviewing a Box web application for security is generally legal, but you must respect the terms of service (ToS) and privacy policies. Unauthorized access or testing could lead to serious legal consequences. Focus on publicly available information and ethical hacking principles.

1. Understand the Legal Boundaries

1. Terms of Service (ToS): The most important document. Box’s ToS will outline what you are allowed and not allowed to do with their service. Look for sections on security testing, reverse engineering, data scraping, and acceptable use.
2. Privacy Policy: Understand how user data is handled. Avoid accessing or processing any personal information without explicit consent (if required by law).
3. Computer Misuse Act 1990 (UK): This law prohibits unauthorised access to computer material. Testing Box’s systems without permission could be a violation.
4. Data Protection Act 2018 / GDPR: If you handle any personal data during your review, you must comply with these regulations.

2. Permitted Security Activities

These activities are generally considered acceptable if they don’t violate Box’s ToS:

• Publicly Available Information: Gathering information from the Box website, blog posts, help documentation, and publicly accessible APIs.
• Vulnerability Scanning (Limited): Some ToS allow vulnerability scanning of your own Box account or systems you control that interact with Box’s API. Check the specific terms.
• Bug Bounty Programs: If Box has a bug bounty program, follow its rules carefully. This is often the safest way to report vulnerabilities.
• Code Review (Publicly Available Code): Analysing any open-source code released by Box.

3. Prohibited Security Activities

These activities are almost always illegal or violate Box’s ToS:

• Unauthorized Access: Attempting to gain access to accounts you don’t own, or systems you aren’t authorised to use.
• Denial of Service (DoS) Attacks: Disrupting the availability of Box’s service.
• Data Scraping (Without Permission): Collecting large amounts of user data without explicit consent and in violation of the ToS.
• Reverse Engineering (If Prohibited): Disassembling or decompiling Box’s software if the ToS forbids it.
• Social Engineering: Tricking Box employees into revealing sensitive information.

4. Practical Steps for a Legal Review

1. Read the ToS and Privacy Policy: Thoroughly understand the rules before starting any testing.
2. Scope Your Testing: Clearly define what you will test and ensure it falls within permitted activities.
3. Use Your Own Account: Test only on accounts you own or have explicit permission to use.
4. Document Everything: Keep detailed records of your testing process, including dates, times, methods used, and findings. This can be helpful if questions arise.
5. Report Vulnerabilities Responsibly: If you find a vulnerability, report it through Box’s bug bounty program (if available) or contact their security team directly.

5. Example Command (Safe – Public Information Gathering)

Using curl to retrieve the robots.txt file:

curl https://www.box.com/robots.txt

This is a safe activity as it retrieves publicly available information.

6. Disclaimer

I am an AI chatbot and cannot provide legal advice. This information is for general guidance only. Consult with a qualified legal professional before conducting any security testing to ensure compliance with all applicable laws and regulations.