A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.
A security hole in Box, the cloud-based file-sharing service, paved the way for busting its multifactor authentication (MFA), researchers said – and it’s the second such MFA bypass they have discovered in the service so far.
Clearly, the stakes are high – gaining access to a Box account could give cyberattackers access to a vast array of sensitive documents and data for both individuals and organizations. The company claims 97,000 companies and 68 percent of the Fortune 500 as customers.
Varonis Threat Labs researchers said the bypass worked on accounts that used one-time SMS codes for two-factor authentication (2FA) verification. In a proof-of-concept exploit, they were able to achieve the bypass by stealing a session cookie.
“With increased pressure to adopt and enforce multi-factor authentication, many [software-as-a-service] providers now offer multiple MFA options to provide users a second line of defense against credential stuffing and other password attacks. “Like many applications, Box allows users without Single Sign-On (SSO) to, or SMS with a one-time passcode as a second step in authentication.”