The multi-factor authentication of Box.com could be bypassed by attackers. The Varonis research team discovered a way to replace MFA with classic one-factor authentication for box accounts.
Box.com joins the long list of cloud providers where MFA vulnerabilities were recently uncovered: The Varonis research team discovered a way to replace MFA with classic one-factor authentication for Box accounts, the authentication -Use apps like Google Authenticator. Attackers with stolen credentials could compromise a company's box account and exfiltrate sensitive data without having to use a one-time password.
Box.com vulnerability now closed
Security researchers reported this vulnerability to Box on November 3rd via HackerOne, after which it was closed. Nevertheless, this security gap makes it clear that cloud security can never be taken for granted, even when using apparently secure technologies. For example, the security researchers at Varonis have discovered two more MFA bypasses in widely used SaaS applications, which will be published after they have been fixed.
How does MFA work at Box?
When a user adds an authentication app to their Box account, the app is assigned a factor ID in the background. Every time the user tries to log in, Box prompts the user for their email and password, followed by a one-time password from their authentication app.
If the user fails to provide the second factor, they will not be able to access the files and folders in their Box account. This provides a second line of defense in the event a user has a weak (or leaked) password.
Where is the weak point?
The Varonis team has determined that the endpoint / mfa / unenrollment does not require full user authentication to remove a TOTP device from a user account. As a result, one could successfully log a user out of MFA after providing a username and password and before providing the second factor. After this deactivation it was possible to log in without MFA and get full access to the box account of the user including all files and folders. In this way, box users secured by MFA could also be compromised by credential stuffing, brute force or by means of phished login data. The blog post by Varonis and the video available there shows the exact course of an attack.
More at Varonis.com
About Varonis Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,