Security researchers have provided information regarding a now-patched bug in Box's Multi-Factor Authentication (MFA) mechanism. The bug could allow a malicious actor to bypass the SMS-based login verification to steal sensitive data.
The bug in Box
According to researchers, an attacker could use stolen account credentials to infect an organization's Box account and extract data without even accessing the phone of a victim.
- The attacker can access the victim’s account by linking it with their own authenticator app-based authentication mechanism.
- When accessing the targeted account, the attacker can bypass the SMS-based authentication for login and select the option to prefer the authenticator app-based authentication.
- The authentication can be completed using the time-based OTP linked with their own Box account.
- Box does not notice or validate that the victim hadn't enrolled in an authenticator app. Instead, it accepts a valid authentication passcode from a different account without checking that it belongs to a different user.
More details
The latest finding was reported to the cloud service provider on November 2, 2021, and the fixes were released by the company. But these bypassing techniques aren't new to experts. Previously, a similar technique was disclosed allowing attackers to bypass authenticator verification by unenrolling a user from MFA after providing a username and password before providing the second factor.
Conclusion
This recent attack technique shows that even MFA does not provide adequate security if not implemented and tested properly. Therefore, researchers recommend limiting the access and monitoring of data for better protection.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_246885445.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9957_shutterstock_218848288.jpg)
