Box Edit has a vulnerability in which an attacker who is able to compromise a user's DNS service would potentially be able to steal tokens allowing read access to portions of the attacked user's Box account. To exploit this, an attacker would need to be able to cause the domain edit.boxlocalhost.com, which Box owns and sets to 127.0.0.1, to resolve to the address of a machine controlled by the attacker.
If you have received a warning that your Box Edit connection may been compromised, submit a support case immediately by clicking this link: Submit a Case
Our User Services team will respond shortly. In the meantime, here are a few steps you can take to ensure your files remain secure:
Disable Box Edit
Enterprise Admins can disable Box edit from the Apps tab of Enterprise Settings in the Admin Console, by searching for the Box Edit app and setting it to disabled (image below). Enterprises with Box Edit disabled will not be exposed to this vulnerability.
Update the HOSTS file
For machines under enterprise control, it is possible to update the HOSTS file to direct the url edit.boxlocalhost.com to the location 127.0.0.1. This will completely mitigate the issue and allow continued use of Box Edit -- however, it has the limitation that any use of Box Edit from a non-managed machine where the HOSTS file had not been updated would still be vulnerable.
Long term solution
A long term solution has been designed and is currently being developed.