Researchers found a bug in content management software “Box” that would allow an adversary to bypass MFA checks. The vendors have patched the flaw following the bug report.
Box MFA Bypass Vulnerability
Elaborating on the details in a detailed blog post, researchers from Varonis Threat Labs have explained how an MFA bypass bug riddled the secure login mechanism of Box.
Specifically, Box is a cloud-based content management and file-sharing software for businesses. To facilitate users with secure logins, the software offers SSO via authenticator apps and SMS-based OTPs.
While the idea seems safe, the researchers observed a way to bypass the authentication checks.
Typically, after entering the login credentials, the software redirects the user to the SMS-based or time-based OTP form, depending on what the user has chosen as the second authentication step. Meanwhile, the software also generates the user’s session cookie.
That’s where the bug existed. As stated in the post,
If the user does not navigate to the SMS verification form, no SMS message will be sent, but a session cookie is still generated.
So, if an attacker would enter the correct login credentials at this point (obtained via some breached data dump or any other means), the session cookie would generate. Then, the attacker could exploit this session cookie to redirect to a time-based OTP MFA mode.
The attacker completes the authentication process by posting a factor ID and code from their own Box account and authenticator app to the TOTP verification endpoint using the session cookie they received by providing the victim’s credentials.
At this stage, the software won’t verify if the user had actually enabled the TOTP mode. Nor it could verify if the authenticator app belonged to the actual user.
Thus, an adversary could easily skip SMs-based authentication and gain access to the victim’s account without needing the phone number.
Also, signing in this way won’t notify the victim user, thus keeping the attack stealth from the targets.
Box Deployed A Fix
Following this discovery, the researchers reported the matter to Box officials via their HackerOne bug bounty program.
Consequently, Box addressed the matter and deployed a fix.
Nonetheless, the researchers highlight that employing MFA methods doesn’t warrant foolproof security. Thus, companies should ensure robust security right at the level of data storage.
Let us know your thoughts in the comments.
Last modified: January 24, 2022