Varonis discovers MFA bypass for Box accounts


By Dylan Bushell-Embling
Monday, 13 December, 2021

Varonis discovers MFA bypass for Box accounts

Varonis has warned it has discovered a method for bypassing multifactor authentication for Box accounts that use authenticator apps such as Google Authenticator.

The newly discovered technique potentially allows attackers to use stolen credentials to compromise an organisation’s Box account and exfiltrate sensitive data without the need to provide a one-time password.

Box introduced the ability to use TOTP-based authenticator apps such as Google Authenticator, Okta Verify, Authy and Duo for multifactor authentication in January.

In a research note, Varonis noted that authenticator apps which comply with TOTP are usually more secure than SMS-based authentication due to the ability to avoid the risk of SMS messages being hijacked through SIM swapping, port-out fraud or another method.

But the Varonis team discovered that the solution implemented by Box did not require the user to be fully authenticated in order to remove a TOTP device from a user’s account. The team was able to exploit this to unenrol a user from multifactor authentication (MFA) after providing a username and password but before providing the second factor.

“After performing the unenrollment action, we were able to login without any MFA requirements and gain full access to the user’s Box account, including all their files and folders. Prior to Box’s fix, attackers could compromise user accounts via credential stuffing, brute force, etc,” Varonis said.

The attack workflow requires entering a user’s email address and password on account.box.com/login and then POSTing the device factor’s ID to the /mfa/unenrollment endpoint to unenrol the device/user combo from the MFA process.

The company is recommending that companies looking to implement TOTP-based MFA to delegate the implementation to a specialist provider such as Okta.

In addition to requiring MFA, companies should also seek to use single sign-on (SSO) technology where possible, enforce strong password policies, and avoid including easily searchable security questions as part of the authentication workflow, Varonis added.

Image credit: ©stock.adobe.com/au/kras99

Related Articles

Emergency onboarding: what to do before and after a data breach

Organisations that have an emergency onboarding plan are better positioned to have their business...

Savvy directors are demanding more points of proof when cyber incidents occur

Pre-agreement on what a post-incident forensics effort should produce — and testing it out...

Cyber-attack prevention is better than a cure

Corporate and political decision-makers need to invest in areas that do a better job of...

Content from other channels on our network

Breakfast event to explore connectivity for emergency response

High-frequency operation in a dynamic metasurface antenna

Teltronic and Crosscall agree to integrate their solutions

Global 5G connections reached 1.76 billion in 2023

AceComms partners with Hitachi Energy on industrial internet

$3.6 million in shared solar for ACT apartments

Low-orbit satellites help out electrical crews

Budget 2024: energy experts respond

How MTDCs can help address today's data centre power challenges

Wall of solar for German factory

Why SEHO Selective Systems are changing the way manufacturers solder boards using through hole designs

Eco-friendly battery for low-income countries

Unravelling the mystery of slow electrons

Laser tech used to develop deformable energy storage device

Laser printing on fallen tree leaves produces sensors for medical and laboratory use

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd