Box 2FA Bypass opens user accounts to attack

March 10, 2022

A security hole in Box, the cloud-based file-sharing service, paved the way for its multi-factor authentication (MFA) to be broken, the researchers said, and it's the second MFA bypass they've discovered in the service so far.

Clearly, the stakes are high: gaining access to a Box account could give cyber attackers access to a wide range of documents and data sensitive to both individuals and organizations. The company claims 97,000 companies and 68 percent of the Fortune 500 as customers.

Source: shutterstock

Researchers from Varonis Threat Labs said the bypass worked on accounts that used unique SMS codes for two-factor authentication (2FA) verification. In a proof-of-concept exploit, they were able to bypass by stealing a session cookie.

With increased pressure to adopt and enforce multi-factor authentication, many [software as a service] vendors now offer multiple MFA options to provide users with a second line of defense against credential stuffing and other password attacks. "Like many apps, Box allows users without single sign-on (SSO) or SMS with a one-time passcode as a second step in authentication."

When a user logs in with their credentials, Box generates the cookie and the user is prompted to navigate to a review page via SMS, where the person is prompted to enter an access code, sent to an enrolled mobile phone.

It may interest you: Researchers discover extremely easy 2FA bypass in Box's cloud management software

However, if the user does not navigate to the verification page, no SMS code is generated, but a session cookie is generated. It is at this point that the bug came into play. A malicious threat actor attempting to log in with stolen credentials could have skipped going to the SMS verification page and instead initiated the other Box-provided MFA option: use an authenticator app, such as Okta Verify or Google Authenticator.

Had the attackers done this, they could have logged into the target account using a factor ID and code from their own Box account, the session cookie received by providing the victim's credentials, and their own authenticator app, without physical access to the victim's phone is required.

“Box did not verify whether the victim was enrolled in TOTP [time-based one-time password] verification and did not validate that the authenticator app used belonged to the user who was logging in,” the researchers explained in an analysis of the report. vulnerability on Tuesday. This made it possible to access the victim's Box account without the victim's phone and without notifying the user via SMS.

Our experts say

Our security expert Franklin Ramírez mentions that it is necessary to make service providers aware so that they constantly test their authentication mechanisms and their authentication factors to make them more robust and avoid possible 0 day attacks. He also reminds about having password change policies from time to time to prevent credentials seen in security breaches from being used.


For more information on this and other topics
you can send us a message

contact us