Varonis Threat Labs discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification.

Cybersecurity researchers this week revealed details of a bug in Box’s multi-factor authentication (MFA) mechanism. Malicious actors could exploit the fault to completely sidestep SMS-based login verification.

“Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone,” Varonis researchers explained in a blog post this week.

The cybersecurity company said it reported the issue to the cloud service provider on November 2, 2021, after which Box fixed the problem, they said.

Why this is important

MFA is an authentication method that relies on a combination of factors, such as a password and a temporary one-time password, aka TOTP. This system provides users a second layer of defense against credential stuffing and other account takeover attacks.

With increased pressure to adopt and enforce multi-factor authentication, many SaaS providers now offer multiple MFA options. These provide users a second line of defense against credential stuffing and other password attacks. Varonis Threat Labs has been analyzing MFA implementations to see just how secure they really are.

How to bypass the Box MFA system

After entering a username and password in Box’s login form, Box sets a session cookie and redirects the user to either:

  • A form to enter a time-based one-time password (TOTP) if the user has an authenticator app, or
  • A form to enter an SMS code if the user enrolled to receive a passcode via SMS

When the user navigates to the SMS verification form, the Box system sends a code to their phone. They must enter this code to gain access to their Box.com account.

A problem arises, however, if the user does not navigate to the SMS verification form. In this case, the system does not send an SMS, but it still generates a session cookie. A malicious actor can enter the user’s (stolen) email and password to get a valid session cookie. No SMS message code required.