SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Varonis has discovered new threat bypassing multi-factor authentication in Box
Tue, 7th Dec 2021
FYI, this story is more than a year old

A method to bypass multifactor authentication for Box accounts that use authenticator apps such as Google Authenticator has been discovered by Varonis.

According to Tal Peleg, senior security researcher at Varonis, an attacker could use stolen credentials to compromise an organisation's Box account and exfiltrate sensitive data without providing a one-time password.

Varonis disclosed the issue to Box on 3 November via HackerOne, and the team has since released a fix.

In January 2021, Box launched the ability for accounts to use TOTP-based authenticator apps such as Google Authenticator, Okta Verify, Authy, Duo and others.

Peleg says Box recommends TOTP over SMS-based authentication for obvious reasons - SMS messages can be hijacked via SIM swapping, port-out fraud, and other well-known techniques.

"Authenticator apps that comply with the TOTP (time-based one-time password) algorithm are not only easier for the end-user, but much safer than SMS. Usually," he says.

How does Box MFA work?
When a user adds an authenticator app to their Box account, the app is assigned a factor ID behind the scenes. Any time that user tries to login, Box prompts the user for their email and password, followed by a one-time password from their authenticator app.

"If the user doesn't provide the second factor, they won't be able to access the files and folders in their Box account," says Peleg.

"This provides a second line of defence in the event a user has a weak (or leaked) password."

What's the issue?
"Our team discovered that the /mfa/unenrollment endpoint did not require the user to be fully authenticated to remove a TOTP device from a user's account," says Peleg.

"As a result, we were able to successfully unenroll a user from MFA after providing a username and password but before providing the second factor," he explains.

"After performing the unenrollment action, we were able to login without any MFA requirements and gain full access to the user's Box account, including all their files and folders. Prior to Box's fix, attackers could compromise user accounts via credential stuffing, brute force, etc."

Attack Flow

  1. The attacker enters a user's email address and password on account.box.com/login
  2. If the password is correct, the attacker's browser is sent a new authentication cookie that grants access to a limited set of endpoints, including the /mfa/unenrollment endpoint
  3. Instead of passing a valid one-time password from an authenticator app to the /mfa/verification endpoint, the attacker POSTs the device's factor ID to the /mfa/unenrollment endpoint and successfully unenrolls the device/user account combo from TOTP-based MFA
  4. The attacker can now login again using single-factor authentication and gain full access to the user's account and their data

"MFA is a step towards a safer internet and more resilient authentication for the SaaS apps we rely on, but MFA isn't perfect," says Peleg.

"There has been a massive push towards TOTP-based MFA, but if there are any flaws in its implementation, it can be bypassed.

"Although nobody is immune to bugs and vulnerabilities, to minimise the likelihood of introducing an authentication flaw into your application, it's highly recommended to delegate your MFA implementation to a provider (e.g., Okta) that specialises in authentication," he says.

"The above example is simply one bypass technique for one SaaS platform. Many more exist - some of which we'll publish soon. Robust authentication is just one layer of defence. It's vital to take a defence-in-depth approach that assumes breach, especially if you're concerned about insider threats."

Peleg says security is only as good as a company's weakest link.

"In addition to requiring MFA, use SSO where possible, enforce strong password policies, monitor sites like HaveIBeenPwnd for breached accounts associated with your domain, and avoid using easy-to-find answers ("What's your mother's maiden name?") as part of your authentication flows."