Cybersecurity researchers have disclosed details of a now-patched bug in Box’s multi-factor authentication (MFA) mechanism that could be abused to completely sidestep SMS-based login verification.
“Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone,” Varonis researchers said in a report shared with The Hacker News.
The cybersecurity company said it reported the issue to the cloud service provider on November 2, 2021, post which fixes were issued by Box.
MFA is an authentication method that relies on a combination of factors such as a password (something only the user knows) and a temporary one-time password aka TOTP (something only the user has) to provide users a second layer of defense against credential stuffing and other account takeover attacks.
This two-step authentication can either involve sending the code as an SMS or alternatively, accessed via an authenticator app or a hardware security key. Thus, when a Box user who is enrolled for SMS verification logs in with a valid username and password, the service sets a session cookie and redirects the user to a page where the TOTP can be entered to gain access to the account.
The bypass identified by Varonis is a consequence of what the researchers called a mixup of MFA modes. It occurs when an attacker signs in with the victim’s credentials and abandons the SMS-based authentication in favor of a different process that uses, say, the authenticator app to successfully complete the login simply by furnishing the TOTP associated with their own Box account.
“Box misses that the victim hasn’t enrolled [in] an authenticator app, and instead blindly accepts a valid authentication passcode from a totally different account without first checking that it belonged to the user that was logging in,” the researchers said. “This made it possible to access the victim’s Box account without accessing their phone or notifying the user via SMS.”
Put differently, Box not only did not check whether the victim was enrolled in an authenticator app-based verification (or any other method barring SMS), it also did not validate that the code entered is from an authenticator app that’s actually linked to the victim who is attempting to log in.
The findings come a little over a month after Varonis disclosed a similar technique that could enable malicious actors to get around authenticator-based verification by “unenroll[ing] a user from MFA after providing a username and password but before providing the second factor.”
“The /mfa/unenrollment endpoint did not require the user to be fully authenticated in order to remove a TOTP device from a user’s account,” the researchers noted in early December 2021.
“MFA is only as good as the developer writing the code [and] can provide a false sense of security,” the researchers concluded. “Just because MFA is enabled doesn’t necessarily mean an attacker must gain physical access to a victim’s device to compromise their account.”