Cybersecurity researchers have revealed information on a now-patched bug in Box multi-factor authentication (MFA). The bug could be exploited to circumvent SMS-based login verification.
“Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone,” Varonis researchers said in a report shared with The Hacker News.
The cybersecurity company said it informed the cloud service provider on November 2, 2021, about the issue after which box released patches.
MFA offers a second layer of security through a temporary one-time password, aka TOTP (something only the user has). The first layer is the password that the user logs in with. The additional layer prevents credential stuffing and other account takeover attacks
The two-step authentication can entail either sending the code as an SMS or access through an authenticator app or a hardware security key. Thus, when a Box user who has MFA logs in with genuine credentials, the service sets a session cookie and redirects the user to a TOTP filling page to access their account.
The bypass of MFA is a result of muddling up MFA modes, noted Varonis. It happens when an attacker logs in with the victim’s credentials and avoids the SMS-based authentication only to use a different process that entails the authenticator app to successfully complete the login by providing the TOTP associated with their own Box account.
“Box misses that the victim hasn’t enrolled [in] an authenticator app, and instead blindly accepts a valid authentication passcode from a totally different account without first checking that it belonged to the user that was logging in,” the researchers said. “This made it possible to access the victim’s Box account without accessing their phone or notifying the user via SMS.”
In other words, Box not only failed to check whether the victim was enrolled in an authenticator app-based verification (or any other method barring SMS), it failed to validate the code entered is from an authenticator app that’s actually linked to the victim who is attempting to log in.
“The /mfa/unenrollment endMFAnt did not require the user to be fully authenticated in order to remove atoe from a user’s account,” the researchers noted in early December 2021.
“MFA is only as good as the developer writing the code [and] can provide a false sense of security,” the researchers concluded. “Just because MFA is enabled doesn’t necessarily mean an attacker must gain physical access to a victim’s device to compromise their account.”