Researchers Discovered a Way to Bypass SMS-Based multi-factor Authentication Protecting Box Accounts

A critical vulnerability has been detected recently by the experts at Varonis Threat Labs in the multi-factor authentication (MFA) mechanism of the Box cloud service. In the Box cloud service, this vulnerability could be exploited by the attackers to bypass the SMS verification process.

Box cloud service is mainly used to store the following things in the cloud:-

  • Documents
  • Images
  • Videos
  • Financial papers and reports
  • Spreadsheets

On successful exploitation of this critical vulnerability, an attacker can easily:- 

  • Compromise an organization’s Box account.
  • Without any access to the victim’s phone, exfiltrate sensitive data.

This critical vulnerability has already been reported to Box via HackerOne on November 2, and after getting notified about the flaw, Box promptly released a fix to patch this bug.

There are several SaaS providers who provide multiple MFA options to all their users, and all thanks go to the boosted intimidation to adopt and implement multi-factor authentication. 

While Box also allows its users without Single Sign-On (SSO) to use an authenticator app just like the other apps. And not only that event this security mechanism also helps users to use this security feature as their second line of defense against common attacks like:-

  • Credential stuffing
  • Password attacks

Currently, more than 97,000 companies are there who actively use the Box Cloud service, and among those, 68% of the Fortune 500 those who reply on the solutions of the company.

SMS Verification

In the login form of Box, once a username and password was entered, it automatically sets a session cookie to redirect the users to:-

  • A form where it is necessary to enter either a one-time password (TOTP) generated by an authenticator (MFA verification).

OR 

  • A code from an SMS message (two-factor authentication).

Now, here at this point, to gain access to the Box.com account, a user needs to navigate to the SMS verification form, where a code is sent, and then on arrival, just have to enter that code.

Attack Flow

  • First, using an authenticator app, an attacker enlists in multi-factor authentication.
  • Then stores the factor ID of the device.
  • On account.box.com/login the email address and password of the user were entered.
  • Once done, now the attacker’s browser will send a new authentication cookie and redirect to: /2fa/verification if the password is correct.
  • Instead of following the redirect to the SMS verification form, they pass their own factor ID and code to the TOTP verification endpoint: /mfa/verification from the authenticator app.
  • Once done, now the attacker will be able to log in to the account of the victim without any prior notification.

Data-centric Approach

In this case, the CISOs should ask themselves the following questions:-

  • Would I know if MFA was disabled or bypassed for a user across all my SaaS applications?
  • How much data can an attacker access if they compromise a normal user account?
  • Is any data unnecessarily exposed to too many users (or exposed publicly)?
  • If a user accesses data abnormally, will I get an alert?

In this event, the Box allows for “MFA confusion,” which enables an attacker to bypass the SMS-based multi-factor authentication.

The security flaw consisted in the lack of a check to see if the MFA protection based on the TOTP was enabled on the account or not in which they endeavored to log in and whether the authenticator app was actually associated with this account.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.