Breaking the Box
Cloud management firm Box has moved to patch a flaw in its SMS-based multi-factor authentication (MFA), just weeks after its temporary one-time password (TOTP)-based MFA was found to have vulnerabilities too.
In a technical blog post today (January 18), Varonis Threat Labs outlined how the technique could allow an attacker to use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone.
“Once known, the vulnerability is extremely easy for an unsophisticated attacker to exploit,” Or Emanuel, head of Varonis Threat Labs, tells The Daily Swig.
“Attackers could compromise any Box user just by knowing or guessing their username and password – rendering MFA useless.”
Box, along with many other applications, allows users without Single Sign-On (SSO) to use a one-time passcode sent via SMS as a second step in authentication.
When a username and password are recorded in Box’s login form, Box sets a session cookie and redirects the user to enter either a temporary one-time password for use with an authenticator app, or an SMS code that can be used to gain access to their Box.com account.
However, if the user doesn’t navigate to the SMS verification form, no SMS message will be sent, but a session cookie is still generated – and a malicious actor in possession of the user’s email and password only needs to enter them to get a valid session cookie. No SMS message code is required.
Once the cookie is generated, the attacker can abandon the SMS-based MFA process and instead initiate the TOTP-based process, posting a factor ID and code from their own Box account and authenticator app to the TOTP verification endpoint using the session cookie.
Box didn’t verify whether the victim was enrolled in TOTP verification, or validate that the authenticator app used belonged to the user that was logging in.
Emanuel says the disclosure was made via HackerOne, and that Box was swift to respond.
The report follows Varonis’ discovery late last year that Box’s TOTP-based MFA was also vulnerable to exploitation.
To log in, users need to enter their email and password, followed by a one-time password from their authenticator app. However, Varonis found that the user didn’t need to be fully authenticated in order to remove a TOTP device from a user’s account.
This allowed the researchers to successfully unenroll a user from MFA after providing a username and password but before providing the second factor. They could then log in without any MFA requirements and gain full access to the user’s Box account.
Emanuel says the team is testing other MFA implementations.
“We think it is extremely widespread, as there are countless SaaS applications, most of which have their own implementation of MFA. The more we look, the more flaws we find,” he says.
“There are many failure points, too – not just the vendor’s MFA code. For example, there are many ways to intercept SMS messages via techniques like SIM jacking and port-out fraud. Authenticator apps can have bugs. There are also backdoors into SaaS apps that bypass the login process altogether, for example session hijacking.”