Varonis discovers MFA bypass for Box accounts

By Dylan Bushell-Embling
Monday, 13 December, 2021

Varonis discovers MFA bypass for Box accounts

Varonis has warned it has discovered a method for bypassing multifactor authentication for Box accounts that use authenticator apps such as Google Authenticator.

The newly discovered technique potentially allows attackers to use stolen credentials to compromise an organisation’s Box account and exfiltrate sensitive data without the need to provide a one-time password.

Box introduced the ability to use TOTP-based authenticator apps such as Google Authenticator, Okta Verify, Authy and Duo for multifactor authentication in January.

In a research note, Varonis noted that authenticator apps which comply with TOTP are usually more secure than SMS-based authentication due to the ability to avoid the risk of SMS messages being hijacked through SIM swapping, port-out fraud or another method.

But the Varonis team discovered that the solution implemented by Box did not require the user to be fully authenticated in order to remove a TOTP device from a user’s account. The team was able to exploit this to unenrol a user from multifactor authentication (MFA) after providing a username and password but before providing the second factor.

“After performing the unenrollment action, we were able to login without any MFA requirements and gain full access to the user’s Box account, including all their files and folders. Prior to Box’s fix, attackers could compromise user accounts via credential stuffing, brute force, etc,” Varonis said.

The attack workflow requires entering a user’s email address and password on and then POSTing the device factor’s ID to the /mfa/unenrollment endpoint to unenrol the device/user combo from the MFA process.

The company is recommending that companies looking to implement TOTP-based MFA to delegate the implementation to a specialist provider such as Okta.

In addition to requiring MFA, companies should also seek to use single sign-on (SSO) technology where possible, enforce strong password policies, and avoid including easily searchable security questions as part of the authentication workflow, Varonis added.

Image credit: ©

Related Articles

Over 40bn records exposed in 2021: Tenable

There was a stark increase in both the number of publicly disclosed data breaches in 2021 and the...

​The passwordless future is here

Password-only cybersecurity will become less effective in 2022, with passwordless authentication...

Test your team, not just your disaster recovery plan

Disaster recovery (DR) plans have evolved into a central mechanism for safeguarding enterprises...

  • All content Copyright © 2022 Westwick-Farrow Pty Ltd