Security researchers from a cybersecurity company called Varonis have revealed a flaw in Box’s multifactor authentication (MFA) mechanism that could allow an attacker to bypass the authentication process completely.
“Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone,” Varonis researchers said in a report.
According to the security company, it detected the issue on November 2, 2021, and notified the cloud service provider about it. The company later rolled out necessary fixes for the issue.
Multifactor authentication (MFA) is a type of security procedure that uses a combination of factors, such as a username and a temporary one-time password, to authenticate users. This feature allows users to authenticate using a two-step process that involves sending a code in an SMS. After logging in, the service saves a session cookie on the user’s computer and sends the user to a page where they can enter the code to gain access to their account.
The issue discovered by the researcher refers to a mixup of MFA modes. In this case, an attacker would need to provide a username and a password and them refuses to authenticate using the SMS-based authentication method. Instead, they use a different process that uses an authenticator app.
“Box misses that the victim hasn’t enrolled [in] an authenticator app, and instead blindly accepts a valid authentication passcode from a totally different account without first checking that it belonged to the user that was logging in,” the researchers said. “This made it possible to access the victim’s Box account without accessing their phone or notifying the user via SMS.”
Not only did Box not check that the account has not allowed to use an authenticator app for verification, it also did not verify that the code entered from an authenticator app belonged to the victim who was attempting to log in.