Jan 20, 2022
0 0

Box 2FA Bypass Opens User Accounts to Attack

Written by

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.
A security hole in Box, the cloud-based file-sharing service, paved the way for busting its multifactor authentication (MFA), researchers said – and it’s the second such MFA bypass they have discovered in the service so far.
Clearly, the stakes are high – gaining access to a Box account could give cyberattackers access to a vast array of sensitive documents and data for both individuals and organizations. The company claims 97,000 companies and 68 percent of the Fortune 500 as customers.
Varonis Threat Labs researchers said the bypass worked on accounts that used one-time SMS codes for two-factor authentication (2FA) verification. In a proof-of-concept exploit, they were able to achieve the bypass by stealing a session cookie.

“With increased pressure to adopt and enforce multi-factor authentication, many [software-as-a-service] providers now offer multiple MFA options to provide users a second line of defense against credential stuffing and other password attacks. “Like many applications, Box allows users without Single Sign-On (SSO) to, or SMS with a one-time passcode as a second step in authentication.”
When a user goes to log on with his or her credentials, Box generates the cookie and the user is asked to navigate to an SMS verification page, where the person is instructed to enter a one-time passcode sent to an enrolled mobile phone.
However, if the user doesn’t navigate to the verification page, no SMS code is generated, but a session cookie still is. It’s at this point that the bug came into play. A malicious threat actor trying to log in with stolen credentials could have skipped going to the SMS verification page, and could have instead initiated the other MFA option provided by Box: Using an authenticator app, like Okta Verify or Google Authenticator.
If attackers were to have done this, they could have broken into the target account by using a factor ID and code from their own Box account, the session cookie received by providing the victim’s credentials, and their own authenticator app – with no physical access to the victim’s phone required.
“Box did not verify whether the victim was enrolled in [time-based one-time password] TOTP verification and did not validate that the authenticator app used belonged to the user that was logging in,” researchers explained in a Tuesday analysis of the vulnerability. “This made it possible to access the victim’s Box account without the victim’s phone and without notifying the user via SMS.”
The proof-of-concept attack flow is as follows, according to Varonis:
Box has fixed the issue, but “we want to underscore that MFA implementations are prone to bugs, just like any other code,” researchers noted. “Our team has demonstrated not one, but two application flaws that allowed us to access a victim’s MFA-enabled Box account with only username and password. Spoiler alert: Box is not the only major SaaS provider that we’ve been able to bypass.”
The first bypass the researchers discovered worked on authenticator-based MFA.
“There are several issues that led to this vulnerability,” Zane Bond, director of product management at Keeper Security, said via email. “However, at the end of the day, this one sits in a similar bucket to many OAuth and SAML vulnerabilities that are found. The underlying technology is usually sound. These issues tend to stem from individual implementations, or errors in the implementation logic. Ultimately, every vendor is responsible for the correct implementation of a particular security control, and it’s not easy.”
For its part, Box issued the following statement to Threatpost:
“This was a bug that was identified and addressed prior to the release of the blog post. We investigate the impact of every bug reported to us and no impact to customers was observed. We’re continually working with the security community and our partners to identify and address potential issues.”
MFA can provide a false sense of security, researchers noted – and organizations should ensure that bypasses are as rare as possible by implementing common-sense protections.
One of those is mobile phishing awareness training, according to Hank Schless, senior manager of security solutions at Lookout.
“Multifactor authentication is an effective way for an end user to validate their identity. However, it cannot differentiate between whether a user really is who they say they are,” he said via email. “The issue that Varonis highlights is that compromised user credentials could make additional authentication tools far less effective.”
Meanwhile, in order to mitigate the risk of unauthorized access to apps, data and infrastructure, even with legitimate credentials, organizations could also implement cloud access security broker (CASB) and zero trust network access (ZTNA) solutions, which detect anomalous user behavior and verify identity.
“In addition to securing the endpoint, organizations also need to be able to dynamically secure access and actions within both cloud and private apps,” Schless said. “This is where ZTNA and CASB solutions shine. By understanding the interactions between users, devices, networks and data, organizations can understand key indicators of a compromise that point to ransomware or massive data exfiltration taking place. Together, securing employee mobile endpoints as well as your cloud and private apps will help organizations create a solid security posture based in a zero-trust philosophy.”
Varonis researchers noted that CISOs should ask the following:
“We recommend you start by securing data where it lives,” according to Varonis. “When you limit access and monitor the data itself, your likelihood of data exfiltration due to a perimeter bypass drops significantly.”
This post was updated at 1:40 p.m. ET with a statement from Box.
Share this article:
Attackers can access audio and files uploaded to the MY2022 mobile app required for use by all winter games attendees – including personal health details.
A well-crafted but fake government procurement portal offers the opportunity to submit a bid for lucrative government projects — but harvests credentials instead.
Praise be & pass the recipe for the software soup: There’s too much scrambling to untangle vulnerabilities and dependencies, say a security experts roundtable.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
1 month ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.


Article Categories:

Comments are closed.