Varonis discovers MFA bypass for Box accounts


By Dylan Bushell-Embling
Monday, 13 December, 2021

Varonis discovers MFA bypass for Box accounts

Varonis has warned it has discovered a method for bypassing multifactor authentication for Box accounts that use authenticator apps such as Google Authenticator.

The newly discovered technique potentially allows attackers to use stolen credentials to compromise an organisation’s Box account and exfiltrate sensitive data without the need to provide a one-time password.

Box introduced the ability to use TOTP-based authenticator apps such as Google Authenticator, Okta Verify, Authy and Duo for multifactor authentication in January.

In a research note, Varonis noted that authenticator apps which comply with TOTP are usually more secure than SMS-based authentication due to the ability to avoid the risk of SMS messages being hijacked through SIM swapping, port-out fraud or another method.

But the Varonis team discovered that the solution implemented by Box did not require the user to be fully authenticated in order to remove a TOTP device from a user’s account. The team was able to exploit this to unenrol a user from multifactor authentication (MFA) after providing a username and password but before providing the second factor.

“After performing the unenrollment action, we were able to login without any MFA requirements and gain full access to the user’s Box account, including all their files and folders. Prior to Box’s fix, attackers could compromise user accounts via credential stuffing, brute force, etc,” Varonis said.

The attack workflow requires entering a user’s email address and password on account.box.com/login and then POSTing the device factor’s ID to the /mfa/unenrollment endpoint to unenrol the device/user combo from the MFA process.

The company is recommending that companies looking to implement TOTP-based MFA to delegate the implementation to a specialist provider such as Okta.

In addition to requiring MFA, companies should also seek to use single sign-on (SSO) technology where possible, enforce strong password policies, and avoid including easily searchable security questions as part of the authentication workflow, Varonis added.

Image credit: ©stock.adobe.com/au/kras99

Related Articles

Too much of a good thing: Australia's cyber overlap issue

Recent research indicates many organisations may have too many security systems with overlapping...

The true cost of cyber attacks

The average annual expense of recovering and dealing with cyber attacks has surpassed AU$4.1...

Tackling the human element in modern authentication: the phishing-resistant user

Integrating human-centric cybersecurity strategies is not merely an option but a necessity in...

Content from other channels on our network

Passivation approach boosts stability of perovskite solar cells

Researchers create safe, long-lasting, high-temp battery

'Organ on a chip' developed for better drug testing

The crucial role of contacts in connector functionality

Silicon photonics for large-scale quantum information applications

MEA warns of upcoming electrician shortage

Ground broken at 'secure, sovereign' data centre

Aust companies plug into solar

Smart solutions for sustainable urban energy

Coles trials next-gen cooling system

In-vehicle connectivity enabled for SA Power Networks

'Service mesh' technology to solve 6G communication issues

Field trials demonstrate the benefits of Wi-Fi HaLow

Milestone as UWA's TeraNet captures laser signals from satellite

SoftBank achieves THz outdoor coverage for connected cars

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd