Box, a cloud management company, rushed to repair a problem in its SMS-based two-factor authentication (MFA). All of it happened weeks after its TOTP-based MFA that was vulnerable as well.
Varonis Threat Labs explained a technique that will allow an attacker to breach a company’s Box account and steal sensitive information. It will happen without accessing the victim’s phone in a technical statement published on January 18.
According to the security researcher, the issue was disclosed to the cloud service provider on November 2, 2021, after which Box implemented patches.
Prior to obtaining access to a website or any other online resource, users must authenticate their identity using at least two distinct verification methods, known as multi-factor authentication (MFA). If one of the factors is compromised, an attacker still has one more barrier to overcome before gaining access to the target’s account using MFA.
To offer users a second layer of security against user credentials and other account takeover threats, it uses a combination of features such as a password (something only the user knows) and a temporary one-time password (TOTP)
This two-step authentication can be accomplished by sending a code via SMS or using an authenticator software or a hardware encryption key. Like many apps, Box also allows users who do not have Single Sign-On (SSO) to apply a one-time passcode given via SMS as a second authentication step.
When a Box user who has chosen to receive SMS verification logs in with a valid username and password, the service creates a session cookie. It takes the user to a screen under which TOTP can access the account.
Varonis discovered the bypass as an outcome of what the experts called a mismatch of MFA modes. It happens when an attacker logs in with the victim’s profile and foregoes SMS-based authentication. The different approaches used here tell the authenticator app to finish the login simply by providing the TOTP with their Box account.
“Box overlooks the fact that the victim hasn’t enrolled in an authenticator app. Instead, it simply accepts a valid authentication passcode from a completely another account without first ensuring that it belonged to the person who was logging in,” the researchers stated. “This allowed us to access the victim’s Box account without having to access their phone or alert the user via SMS.”
The discovery comes just after a month after Varonis revealed a similar technique. Hence, this might allow cyber-criminals to avoid authenticator-based verification by “unenrolling a user from MFA after giving a username and password but before giving the second factor.”
“From a user’s account to remove a TOTP device, the MFA endpoint did not require the user to authenticate fully,” the researchers stated in early December 2021.
“MFA is only as good as the developer writing code,” the researchers concluded, “and it might create a false feeling of security.” “Just because MFA is enabled does not necessarily mean that an attacker must have physical access to a victim’s machine to steal their account.”
Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud.
Want a consultation with the professionals at Rogue Logics? Contact us and get a free quote.