Security News > 2022 > January > Researchers Bypass SMS-based Multi-Factor Authentication Protecting Box Accounts

Cybersecurity researchers have disclosed details of a now-patched bug in Box's multi-factor authentication mechanism that could be abused to completely sidestep SMS-based login verification.

"Using this technique, an attacker could use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without access to the victim's phone," Varonis researchers said in a report shared with The Hacker News.

Thus, when a Box user who is enrolled for SMS verification logs in with a valid username and password, the service sets a session cookie and redirects the user to a page where the TOTP can be entered to gain access to the account.

The bypass identified by Varonis is a consequence of what the researchers called a mixup of MFA modes.

"Box misses that the victim hasn't enrolled [in] an authenticator app, and instead blindly accepts a valid authentication passcode from a totally different account without first checking that it belonged to the user that was logging in," the researchers said.

Put differently, Box not only did not check whether the victim was enrolled in an authenticator app-based verification, it also did not validate that the code entered is from an authenticator app that's actually linked to the victim who is attempting to log in.

News URL

https://thehackernews.com/2022/01/researchers-bypass-sms-based-multi.html