Researchers said on Tuesday they discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification.
In one blog post, Varonis Threat Labs said an attacker using this technique could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without gaining access to the victim’s phone. The team discovered that if the user does not navigate to Box’s SMS verification form, no SMS message is sent, but a session cookie is still generated. The researchers said a malicious actor only had to enter the user’s email and password – stolen during a password leak or phishing attack, for example. example – to obtain a valid session cookie: no SMS message code is required.
Varonis said it disclosed the issue to Box on Nov. 2 via HackerOne, and Box released a cloud-based update.
This was the second time in recent weeks that Varonis researchers discovered a Box MFA bypass. The first was unveiled in December, when Varonis reported they discovered a way to bypass MFA for Box accounts that use time-based One-Time Password Authenticator (TOTP) apps such as Google Authenticator, an issue for which Box also released an update based on the cloud.
“MFA is widely touted as ‘the’ way to protect accounts from attacks,” said Rob Sobers, vice president of marketing at Varonis. “The Threat Labs team flipped this idea on its head by exposing two separate issues with MFA in a popular SaaS application. As research shows, MFA is not a silver bullet. Since every SaaS vendor offers MFA, we believe that the possibilities for future exploits are significant – and concerning – the possibility.
Varonis research was considered important because, according to Box, 97,000 companies and 68% of Fortune 500 companies rely on Box to access information from anywhere and collaborate with anyone.
Although MFA has gained a reputation as a solution to prevent account takeover, and rightly so, it’s not a magic bullet because there are ways around it and sometimes it’s impossible for people to use it, said Wade Lance, Field CTO at Illusory.
“For example, implementing MFA on a legacy application that uses hard-coded credentials might be impractical if the application needs to be rewritten,” Lance said. “Another risk with MFA is that it only protects users registered with the solution without providing visibility into users who are not. This can give a false sense of security, as users with administrator rights “Ghosts” proliferate in the environment Organizations should definitely use MFA, but they need to think holistically about privileged identities to uncover these unmanaged and misconfigured identity risks.
MFA makes sense as a best practice, but like any software technology implementation, it can lead to bugs, said Saumitra Das, co-founder and CTO of Blue Hexagon.
“Past MFA attacks have used mobile apps and this is a direct attack without the need to access a user’s device,” Das said. “This underscores the fact that organizations need to invest in defense-in-depth and not rely on hardening solutions to be a complete panacea against threats. MFA could be interrupted on SaaS services and lead to data compromise. MFA could also be interrupted on non-SaaS services and lead to network compromise as well. »
Hank Schless, senior manager of security solutions at Lookout, said that while MFA can help users validate their identity, it cannot differentiate whether a user is really who they say they are.
“The issue highlighted by Varonis is that compromised user credentials could make additional authentication tools much less effective,” Schless said. “Employees today are more prone to phishing attacks as they work from anywhere on personal and work laptops, PCs, smartphones and tablets. To protect against compromised credentials, organizations must implement coverage against mobile phishing attacks. This will ensure that your users are protected against social engineering phishing campaigns that give threat actors the keys to your company’s infrastructure, applications, and data.