Cybersecurity researchers have disclosed details of a now-patched bug in Box’s multi-factor authentication (MFA) mechanism that could be abused to completely sidestep SMS-based login verification.
“Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone,” Varonis researchers said in a report shared with The Hacker News.
The cybersecurity company said it reported the issue to the cloud service provider on November 2, 2021, post which fixes were issued by Box.
MFA provides authentication that uses a combination of elements such as a password (something the user does not know) and a temporary password (aka TOTP) in order to protect users from credential stuffing or other account takeover attempts.
This two-step authentication allows for the sending of the code via SMS, or access through an authenticator application or hardware security key. Thus, when a Box user who is enrolled for SMS verification logs in with a valid username and password, the service sets a session cookie and redirects the user to a page where the TOTP can be entered to gain access to the account.
The bypass identified by Varonis is a consequence of what the researchers called a mixup of MFA modes. It occurs when an attacker signs in with the victim’s credentials and abandons the SMS-based authentication in favor of a different process that uses, say, the authenticator app to successfully complete the login simply by furnishing the TOTP associated with their own Box account.
“Box is unaware that the victim hasn’t signed up [in] for an authentication app and accepts instead blindly a valid login passcode from another account, without verifying that it belongs to the person logging in,” researchers stated. This allowed the victim to gain access to their Box account, without having access to their phones or notifying them via SMS. “
Put another way, Box did not verify that victim had enrolled in authenticator apps-based verification or any other methods barring SMS. It also didn’t validate that code was entered from authenticator apps that are actually connected to victim.
The findings come a little over a month after Varonis disclosed a similar technique that could enable malicious actors to get around authenticator-based verification by “unenroll[ing] a user from MFA after providing a username and password but before providing the second factor. “
“The /mfa/unenrollment endpoint did not require the user to be fully authenticated in order to remove a TOTP device from a user’s account,” the researchers noted in early December 2021.
“MFA can only be as secure as the developer who wrote the code [and]. MFA does not necessarily require that an attacker has physical access to the victim’s device in order to breach their account. “