Box has moved to patch a flaw in its SMS-based two-factor authentication (MFA), just weeks after its temporary one-time password (TOTP)-based MFA was discovered to be vulnerable as well.
Varonis Threat Labs detailed how the technique could allow an attacker to use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without access to the victim's phone in a technical blog post. "Once known, the vulnerability is extremely easy for an unsophisticated attacker to exploit," says Or Emanuel, head of Varonis Threat Labs.
Box, like many other applications, allows users who do not have Single Sign-On (SSO) to use a one-time passcode sent via SMS as a second authentication step.
When a user enters a username and password into Box's login form, Box stores a session cookie and redirects the user to enter either a temporary one-time password for use with an authenticator app or an SMS code to gain access to their Box.com account.
If the user does not go to the SMS verification form, no SMS message is sent, but a session cookie is generated – and a malicious actor.
Once the cookie is generated, the attacker can abandon the SMS-based MFA process and instead initiate the TOTP-based process by using the session cookie to post a factor ID and to the TOTP verification endpoint, they must send a code from their own Box account and authenticator app.
Box failed to validate whether the victim was enrolled in TOTP verification or that the authenticator app used belonged to the user who was logging in.
According to Emanuel, the disclosure was made through HackerOne, and Box responded quickly.
The report comes on the heels of Varonis' late-year discovery that Box's TOTP-based MFA was also vulnerable to exploitation.
To log in, users must first enter their email address and password, followed by a one-time password generated by their authenticator app. Varonis discovered, however, that the user did not have to be fully authenticated in order to remove a TOTP device from a user's account.
The researchers were able to successfully unenroll a user from MFA after providing a username and password but before providing the second factor as a result of this. They could then log in without using MFA and gain full access to the user's Box account.
According to Emanuel, the team is currently testing other MFA implementations. "We believe it is extremely widespread because there are countless SaaS applications, the majority of which have their own MFA implementation." "The more we look, the more flaws we discover," he claims.
"There are numerous failure points, not just the vendor's MFA code." SMS messages, for example, can be intercepted in a variety of ways, including SIM jacking and port-out fraud. Authenticator apps may contain flaws. There are also backdoors into SaaS apps that completely bypass the login process, such as session hijacking."
If you have any questions about this issue, please contact us via the email address provided. Your security partner will be Airzero sec.
Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/