Security News > 2022 > January > Box 2FA Bypass Opens User Accounts to Attack

Clearly, the stakes are high - gaining access to a Box account could give cyberattackers access to a vast array of sensitive documents and data for both individuals and organizations.

When a user goes to log on with his or her credentials, Box generates the cookies and the user is asked to navigate to an SMS verification page, where the person is instructed to enter a one-time passcode sent to an enrolled mobile phone.

"Box did not verify whether the victim was enrolled in TOTP verification and did not validate that the authenticator app used belonged to the user that was logging in," researchers explained in a Tuesday analysis.

Spoiler alert: Box is not the only major SaaS provider that we've been able to bypass.

In order to mitigate the risk of unauthorized access to apps, data and infrastructure, even with legitimate credentials, organizations could also implement cloud access security broker and zero trust network access solutions, which detect anomalous user behavior and verify identity.

How much data can an attacker access if they compromise a normal user account?

News URL

https://threatpost.com/box-2fa-bypass-accounts-attack/177760/