Hackers Could Bypass SMS-based Multi-Factor Authentication To Compromise Box Accounts

Hackers Could Bypass SMS-based Multi-Factor Authentication To Compromise Box Accounts

Security researchers from a cybersecurity company called Varonis have revealed a flaw in Box’s multifactor authentication (MFA) mechanism that could allow an attacker to bypass the authentication process completely.

“Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone,” Varonis researchers said in a report.

According to the security company, it detected the issue on November 2, 2021, and notified the cloud service provider about it. The company later rolled out necessary fixes for the issue.

Multifactor authentication (MFA) is a type of security procedure that uses a combination of factors, such as a username and a temporary one-time password, to authenticate users. This feature allows users to authenticate using a two-step process that involves sending a code in an SMS. After logging in, the service saves a session cookie on the user’s computer and sends the user to a page where they can enter the code to gain access to their account.

The issue discovered by the researcher refers to a mixup of MFA modes. In this case, an attacker would need to provide a username and a password and them refuses to authenticate using the SMS-based authentication method. Instead, they use a different process that uses an authenticator app.

“Box misses that the victim hasn’t enrolled [in] an authenticator app, and instead blindly accepts a valid authentication passcode from a totally different account without first checking that it belonged to the user that was logging in,” the researchers said. “This made it possible to access the victim’s Box account without accessing their phone or notifying the user via SMS.”

Not only did Box not check that the account has not allowed to use an authenticator app for verification, it also did not verify that the code entered from an authenticator app belonged to the victim who was attempting to log in.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.