Emma Woollacott January 18, 2022 14:01 UTC
Updated: 18 Jan 2022 14:18 UTC
break the box
Cloud management company Box has set out to fix a vulnerability in its SMS-based two-factor authentication (MFA), just weeks after its Temporary One-Time Password (TOTP)-based MFA was also found to be vulnerable.
in a technical blog post Today (January 18), Varonis Threat Labs outlined how the technique could allow attackers to use stolen credentials to compromise an organization’s Box account and leak sensitive data without accessing the victim’s phone.
Or Emanuel, head of Varonis Threat Labs, told us: “Once the vulnerability is known, it is very easy for an immature attacker to exploit it.” daily swig.
“An attacker can compromise any Box user by knowing or guessing their username and password – rendering MFA useless.”
SMS-based 2FA
Box and many other applications allow users without single sign-on (SSO) to use a one-time password sent via SMS as a second step in authentication.
When a username and password are recorded in Box’s login form, Box sets a session cookie and redirects the user to enter a temporary one-time password for use with an authenticator application, or an SMS code that can be used to access their Box.com account.
However, if the user does not navigate to the SMS verification form, the SMS message will not be sent, but a session cookie will still be generated – a malicious actor with the user’s email and password can simply enter them to obtain a valid session cookie. SMS message codes are not required.
Read more about the latest information security research news from around the world
Once the cookie is generated, the attacker can abandon the SMS-based MFA flow and start a TOTP-based flow instead, using the session cookie to post the factor ID and code to the TOTP verification endpoint from their own Box account and authenticator application.
Box does not verify that the victim is registered for TOTP verification, or that the authenticator application used belongs to the user who is logging in.
Coordinated Disclosure
Emanuel said the information came through HackerOne, and Box responded quickly.
The report was discovered by Varonis late last year Box’s TOTP-based MFA is also vulnerable to exploit.
To log in, users need to enter their email and password, followed by a one-time password from an authenticator app. However, Varonis found that users can remove TOTP devices from user accounts without full authentication.
This allowed researchers to successfully deregister users from MFA after providing a username and password but before providing a second factor. They can then log in without any MFA requirements and gain full access to the User Box account.
admired GitLab shifts left to patch high-impact vulnerabilities
Emanuel said the team is testing other MFA implementations.
“We think it’s very common because there are countless SaaS applications, most of which have their own implementation of MFA. The more we look, the more bugs we find,” he said.
“There are also a lot of points of failure – not just vendor MFA codes. For example, there are many ways to intercept SMS messages through techniques like SIM hijacking and port spoofing. Authenticator applications can be buggy. SaaS applications are also fully Backdoors that bypass the login process, such as session hijacking.”
you might also like VPNLab Takedown: Authorities Take Down Cybercriminals’ Favored Safe Communication Tool
