Last Updated on 06/12/2021 by Riya
Varonis uncovered a technique to circumvent multifactor authentication for Box users that leverage authenticator applications. An adversary might hijack an organization’s Box account and extract relevant critical data without entering a one-time password, as per Tal Peleg, a senior security expert at Varonis.
Varonis alerted Box about the vulnerability through HackerOne on November 3rd, and the firm has subsequently presented a remedy. Box enabled accounts to leverage TOTP-based authenticator applications including Google Authenticator, Okta Verify, Authy, Duo, and others in January 2021.Box advocates TOTP against SMS-based verification, according to Peleg, for logical purposes: Sms can be collected exploiting SIM switching, port-out scam, and various other methods. He claims,
“Authenticator applications that leverage the TOTP (time-based one-time password) technique are convenient for people as well as considerably reliable over SMS. Typically.”