Box: MFA via SMS could also be bypassed by attackers

29 January 2022
| No comments
Box: MFA via SMS could also be bypassed by attackers

Share post

Varonis security researchers have discovered a way to bypass multi-factor authentication (MFA) via SMS for Box accounts. Attackers with stolen credentials were able to compromise an organization's Box account and exfiltrate sensitive data without having to access the victim's phone.

Security researchers reported this vulnerability to Box on November 3, 2021 via HackerOne, which prompted it to be closed. Just last month, Varonis Thread Labs demonstrated how to bypass Box's TOTP-based MFA. Both gaps make it clear that cloud security should never be taken for granted, even when using apparently secure technologies, and that a multi-layered security strategy is required.

SMS code without victim's phone

Like most applications, Box allows users without single sign-on (SSO) to use an authenticator app (like Okta Verify or Google Authenticator) or an SMS with a one-time security code as the second step of authentication. After entering a username and password in the login form, Box sets a session cookie and directs the user to either a form to enter a temporary one-time password (TOTP) if the user is logged into an authenticator app, or a form to enter one SMS codes if the user has opted in to receive a security code via SMS.

Dangerous mixing of MFA methods

A session cookie is also generated if the user does not navigate to the SMS verification form. Similarly, attackers only need to enter the user's email address and password, which they have already phished or purchased on the dark web, to receive a valid session cookie. After the cookie is generated, the attackers can cancel the SMS-based MFA mechanism (where the user is signed in) and instead initiate the TOTP-based MFA mechanism, thus mixing the MFA modes.

The attackers complete the authentication process by sending a factor ID and code from their own Box account and authenticator app to the TOTP verification endpoint. In doing so, they use the session cookie that they received by providing the victim's login data. Until the vulnerability was patched, Box did not verify that the victim was logged in for TOTP verification and that the authenticator app used actually belonged to the associated user attempting to log in. This made it possible to access the user's Box account without having to use the victim's phone or text them.

Flow of the Box Attack

  • In multi-factor authentication, the attacker logs in with an authenticator app and saves the device's factor ID.
  • The attacker enters the victim's email address and password at account.box.com/login.
  • If the password is correct, the attacker's browser receives a new authentication cookie and is redirected to /2fa/verification.
  • However, the attacker does not follow the redirect to the SMS verification form, instead posting their own factor ID and code from the authenticator app to the TOTP verification endpoint /mfa/verification.
  • The attacker is now logged into the victim's account, who doesn't receive an SMS message and thus doesn't notice anything

The course of such an attack is illustrated in this YouTube video.

Findings from the attack

MFA is an important step towards a safer internet and more reliable authentication for SaaS applications. That said, MFA can provide a false sense of security: just because MFA is enabled doesn't necessarily mean that an attacker needs to gain physical access to a victim's device in order to compromise their account. Therefore, reliable authentication can only ever be one level of security.

Accordingly, this vulnerability also illustrates the need for a data-centric approach. "Relying solely on perimeter protection and strong authentication is grossly negligent," explains Michael Scheffler, Country Manager DACH at Varonis Systems. “Security leaders should ask themselves the following questions to review the effectiveness of their security strategy and make adjustments where necessary: ​​Can I tell if MFA has been disabled or bypassed for a user across all of my SaaS applications? How much data can an attacker access if they compromise a regular user account? Do users only get access to files they actually need? And are we able to detect when a user is accessing data in unusual ways?”

More at Varonis.com

 

About Varonis

Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,

 

Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

Data encryption: More security on cloud platforms

Online platforms are often the target of cyberattacks, such as Trello recently. 5 tips ensure more effective data encryption in the cloud ➡ Read more

PR News
, , , , , ,