Varonis discovers MFA bypass for Box accounts
Varonis has warned it has discovered a method for bypassing multifactor authentication for Box accounts that use authenticator apps such as Google Authenticator.
The newly discovered technique potentially allows attackers to use stolen credentials to compromise an organisation’s Box account and exfiltrate sensitive data without the need to provide a one-time password.
Box introduced the ability to use TOTP-based authenticator apps such as Google Authenticator, Okta Verify, Authy and Duo for multifactor authentication in January.
In a research note, Varonis noted that authenticator apps which comply with TOTP are usually more secure than SMS-based authentication due to the ability to avoid the risk of SMS messages being hijacked through SIM swapping, port-out fraud or another method.
But the Varonis team discovered that the solution implemented by Box did not require the user to be fully authenticated in order to remove a TOTP device from a user’s account. The team was able to exploit this to unenrol a user from multifactor authentication (MFA) after providing a username and password but before providing the second factor.
“After performing the unenrollment action, we were able to login without any MFA requirements and gain full access to the user’s Box account, including all their files and folders. Prior to Box’s fix, attackers could compromise user accounts via credential stuffing, brute force, etc,” Varonis said.
The attack workflow requires entering a user’s email address and password on account.box.com/login and then POSTing the device factor’s ID to the /mfa/unenrollment endpoint to unenrol the device/user combo from the MFA process.
The company is recommending that companies looking to implement TOTP-based MFA to delegate the implementation to a specialist provider such as Okta.
In addition to requiring MFA, companies should also seek to use single sign-on (SSO) technology where possible, enforce strong password policies, and avoid including easily searchable security questions as part of the authentication workflow, Varonis added.
Secure-by-design software development for digital innovation
The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...
Bolstering AI-powered cybersecurity in the face of increasing threats
The escalation of complex cyber risks is becoming a pressing issue for those in business...
How attackers are weaponising GenAI through data poisoning and manipulation
The possibility for shared large language models to be manipulated through data poisoning...
