Researchers Bypass SMS-based Multi-Factor Authentication Protecting Box Accounts

Cybersecurity researchers have disclosed details of a now-patched bug in Box’s multi-factor authentication (MFA) mechanism that could be abused to completely sidestep SMS-based login verification.

“Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone,” Varonis researchers said in a report shared with The Hacker News.

The cybersecurity company said it reported the issue to the cloud service provider on November 2, 2021, post which fixes were issued by Box.

MFA is an authentication method that relies on a combination of factors such as a password (something only the user knows) and a temporary one-time password aka TOTP (something only the user has) to provide users a second layer of defense against credential stuffing and other account takeover attacks.

This two-step authentication can either involve sending the code as an SMS or alternatively, accessed via an authenticator app or a hardware security key. Thus, when a Box user who is enrolled for SMS verification logs in with a valid username and password, the service sets a session cookie and redirects the user to a page where the TOTP can be entered to gain access to the account.

The bypass identified by Varonis is a consequence of what the researchers called a mixup of MFA modes. It occurs when an attacker signs in with the victim’s credentials and abandons the SMS-based authentication in favor of a different process that uses, say, the authenticator app to successfully complete the login simply by furnishing the TOTP associated with their own Box account. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *