Last Updated on 20/01/2022 by Nidhi Khandelwal
Researchers have revealed details of a now-patched issue in Box’s Multi-Factor Authentication (MFA) system that could be leveraged to bypass SMS-based login verification completely.
In a report released with The Hacker News, Varonis researchers warned that an attacker could use stolen credentials to breach an organization’s Box account and exfiltrate important data without access to the victim’s phone.
According to the cybersecurity firm, the issue was disclosed to the cloud service provider on November 2, 2021, after which Box implemented patches.
MFA is an authentication mechanism that uses a password (something only the user knows) and a temporary one-time password aka TOTP (something only the user has) to provide users with a second layer of protection against credential stuffing and other account takeover attacks.
This two-step authentication can be accomplished by sending a code via SMS or by using an authenticator software or a hardware security key. When a Box user who has opted in to receive SMS verification logs in with a valid username and password, the service creates a session cookie and takes the user to a screen where the TOTP can be provided to get access to the account.
Varonis discovered the bypass as a result of what the researchers called an MFA mode mixup. It happens when an attacker uses the victim’s credentials and forgoes SMS-based authentication in favor of an alternative method, such as using the authenticator app to finish the login just by providing the TOTP associated with their own Box account.
“Box ignores the fact that the victim hasn’t enrolled [in] an authenticator app, and instead accepts a valid authentication passcode from a completely separate account without verifying that it belongs to the user who was logging in,” the researchers wrote. “Without accessing the victim’s phone or sending an SMS notification, we were able to gain access to their Box account.”