According to new research from Varonis, a vulnerability in Box's implementation of multi-factor authentication (MFA) allows attackers to take over accounts without having access to the victim's phone.
Because of the flaw, which was patched in November 2021, an attacker just needed stolen credentials to get access to a company's Box account and steal sensitive information if SMS-based MFA was activated. Users without Single Sign-On (SSO) can further secure their accounts using an authenticator app or SMS for second-factor authentication, according to Box, which says that close to 100,000 firms utilize its platform.
How Does SMS Verification Work in Box?
After providing a username and password in Box's login form, the user is redirected to one of two pages:
- If the user is enrolled with an authenticator app, a form to enter a time-based one-time password (OTP).
- If the user has opted to receive a passcode via SMS, a form to enter an SMS code will appear.
- A code is delivered to the user's phone when they go to the SMS verification form. To gain access to their Box.com account, they must enter this code.
When a user attempts to log into a Box account, the platform saves a session cookie and leads to a page where they must enter a time-based one-time password (TOTP) from an authenticator app (at /mfa/verification) or an SMS code (at /2fa/verification). When a user adds an authenticator app to their account, Box provides them a factor ID and the user must enter a one-time password issued by the app in addition to the credentials when logging in.
Researchers from Varonis revealed that an attacker might circumvent MFA for accounts that had SMS-based MFA enabled by abandoning the SMS-based verification procedure instead of commencing TOTP-based MFA. By combining the MFA modalities, the attacker might gain access to the victim's account by giving a factor ID and code from a Box account and authenticator app that the attacker controls.
The entire talk about required MFA from firms like Salesforce and Google, as well as a White House executive order, is to emphasize that MFA implementations, like any other programming, are prone to flaws. MFA can give the impression of security. Because MFA is enabled, an attacker does not necessarily need physical access to a victim's device to compromise their account.
