Reverse engineering a $1B Legal AI tool exposed 100k+ confidential files
TL;DR Highlight
Filevine's legal AI SaaS had a public API endpoint returning Box admin tokens without auth, exposing 100K+ confidential files from law firms.
Who Should Read
Security engineers and backend devs building SaaS products with third-party OAuth integrations, and CTOs evaluating legal AI vendors.
Core Mechanics
- Filevine had a publicly accessible API endpoint that returned Box admin tokens without any authentication — a classic insecure direct object reference issue on a privileged token endpoint.
- The exposed tokens gave access to Box admin accounts belonging to law firm customers, meaning confidential legal documents (over 100K files) were readable by anyone who hit the endpoint.
- The researcher reported the vulnerability responsibly, but initial response from Filevine was slow. The issue was eventually patched.
- This is a textbook OAuth token storage failure: the server-side tokens were returned client-side with no authorization check on the caller.
- The attack surface is especially sensitive here — legal SaaS products hold privileged client communications, case files, and court documents that carry attorney-client privilege.
Evidence
- The researcher documented the endpoint, sample request, and sanitized token response, confirming the unauthenticated access was trivially reproducible.
- Community reaction was strong: several commenters noted this is a systemic problem with 'move fast' SaaS culture when applied to high-sensitivity legal data.
- Others pointed out that law firms face ABA ethics rules around client data confidentiality — a breach like this could expose firms to bar complaints in addition to legal liability.
- There was debate about whether Filevine's response timeline was acceptable for a security incident of this severity.
How to Apply
- Audit all endpoints that return OAuth tokens or third-party API credentials — verify that caller authorization is checked, not just authentication.
- Never store third-party admin tokens in a way that's retrievable via a user-facing API without checking the requester's permission scope.
- For legal/medical/financial SaaS: treat third-party integration tokens as secrets with the same access controls you'd apply to raw credentials.
- Add automated tests for your most sensitive API endpoints that explicitly verify unauthenticated requests are rejected with 401/403.
Code Example
snippet
// Vulnerable pattern: frontend directly receives a high-privilege token and calls external API
const res = await fetch(`${BOX_SERVICE}/recommend`, {
method: 'POST',
body: JSON.stringify({ projectName: 'Very sensitive Project' })
// No Authorization header!
});
const { boxToken } = await res.json(); // admin token is returned as-is
// Safe pattern: backend acts as proxy or issues short-lived presigned URLs
// Backend (Node.js example)
app.get('/api/file/:fileId', authenticate, async (req, res) => {
// 1. Verify user permissions
const hasAccess = await checkPermission(req.user, req.params.fileId);
if (!hasAccess) return res.status(403).json({ error: 'Forbidden' });
// 2. Call Box API using a token stored only on the backend
const boxClient = new BoxClient({ accessToken: process.env.BOX_ADMIN_TOKEN });
const downloadUrl = await boxClient.files.getDownloadURL(req.params.fileId);
// 3. Return only a short-lived URL (no direct token exposure)
res.json({ url: downloadUrl, expiresIn: 60 });
});Terminology
IDOR (Insecure Direct Object Reference)A vulnerability where an API lets callers access objects (like tokens or files) by ID without verifying the caller has permission to access that object.
OAuth admin tokenA long-lived credential that grants elevated (admin-level) access to a third-party service like Box, typically used for server-to-server integration.
Attorney-client privilegeA legal protection making communications between a lawyer and client confidential and not disclosable without the client's consent.