Security researchers have revealed details on a now-patched vulnerability in Box’s Multi-Factor Authentication (MFA) mechanism. A malicious actor can exploit the flaw to bypass SMS-based login verification and steal sensitive data.
Researchers claim that an attacker can use stolen account credentials to infect a organization’s Box account and extract data without ever accessing the victim’s phone.
The attacker can gain access to the victim’s account by linking it to their own authenticator app-based authentication mechanism
When accessing the targeted account, the attacker has the option of bypassing SMS-based authentication for login and opting for authenticator app-based authentication instead.
The authentication can be accomplished using their own Box account’s time-based OTP.
Box does not notice or validate that the victim had not enrolled in an authenticator app and instead, it accepts a valid authentication passcode from another account without verifying that it belongs to a different user.
On November 2, 2021, the cloud service provider was notified about the latest findings, and the company released the fixes. Experts, on the other hand, aren’t unfamiliar with these bypassing techniques.
Previously, a similar technique was revealed which allowed attackers to bypass authenticator verification by unenrolling a user from MFA after providing a username and password but before providing the second factor.
Even if MFA is properly implemented and tested properly, this recent attack approach shows that it does not provide appropriate security. As a result, researchers advise restricting the access and monitoring of data for better protection.