Box: MFA via SMS could also be bypassed by attackers
Varonis security researchers have discovered a way to bypass multi-factor authentication (MFA) via SMS for Box accounts. Attackers with stolen credentials were able to compromise an organization's Box account and exfiltrate sensitive data without having to access the victim's phone. Security researchers reported this vulnerability to Box on November 3, 2021 via HackerOne, which prompted it to be closed. Just last month, Varonis Thread Labs demonstrated how to bypass Box's TOTP-based MFA. Both gaps make it clear that cloud security, even when using seemingly secure technologies, is never...