Researchers on Tuesday said they discovered a way to bypass multifactor authentication (MFA) for Box accounts that use an SMS text code for log-in verification.
In a blog post, Varonis Threat Labs said an attacker using this technique could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone. The team discovered that if the user does not navigate to the SMS verification form from Box, no SMS message gets sent, but a session cookie still gets generated. The researchers said a malicious actor only needs to enter the user’s email and password — stolen from a password leak or phishing attack, for example — to get a valid session cookie: no SMS message code is required.
Varonis said they disclosed the issue to Box on Nov. 2 via HackerOne and Box released a cloud-based update.
This was the second time in the past several weeks that Varonis researchers have discovered a Box MFA bypass. The first one was disclosed in December, when Varonis reported they discovered a way to bypass MFA for Box accounts that use time-based one-time-password (TOTP) authenticator apps such as Google Authenticator, an issue Box also released a cloud-based update for.
“MFA is widely touted as ‘the’ way to keep accounts safe from attack,” said Rob Sobers, vice president of marketing at Varonis. “The Threat Labs team turned that idea on its head by exposing two separate issues with MFA in a popular SaaS application. As the research shows, MFA is not a magic bullet. Given that every SaaS provider offers MFA, we think the possibilities for future exploits are a big — and concerning — possibility.”
The Varonis research was viewed as significant because, according to Box, 97,000 companies and 68% of the Fortune 500 rely on the Box to access information from anywhere and collaborate with anyone.
While MFA has earned a reputation as a solution to prevent account takeover, and rightfully so, it’s not a silver bullet because there are ways to circumvent it and there are times it’s not possible for people to use it, said Wade Lance, Field CTO at Illusive.
“For example, implementing MFA on a legacy application that uses hard-coded credentials may be impractical if the application needs to be rewritten,” Lance said. “Another risk with MFA is that it only protects users enrolled into the solution without providing any visibility into users that are not. This can provide a false sense of security, as users with ‘shadow’ admin rights proliferate across the environment. Organizations should absolutely use MFA, but they need to think holistically about privileged identities to discover these unmanaged and misconfigured identity risks.”
MFA makes sense as a best practice, but like any software technology implementation, it can lead to bugs, said Saumitra Das, co-founder and CTO at Blue Hexagon.
“Past attacks on MFA have used mobile apps and this is a direct attack without needing access to a user's device,” Das said. “This underscores the fact that organizations need to invest in defense-in-depth and not rely on hardening solutions to be a full panacea against threats. MFA could be broken on SaaS services and lead to data compromise. MFA could also be broken on non-SaaS services and lead to network compromise as well.”
Hank Schless, senior manager of security solutions at Lookout, said while MFA can help users validate their identity, it cannot differentiate between whether a user really is who they say they are.
“The issue that Varonis highlights is that compromised user credentials could make additional authentication tools far less effective,” Schless said. “Employees are more prone to phishing attacks today as they work from anywhere on both personal and corporate-issued laptops, PCs, smartphones, and tablets. To protect against compromised credentials, organizations need to implement coverage for mobile phishing attacks. Doing so will ensure that your users are protected from socially engineered phishing campaigns that give threat actors the keys to your corporate infrastructure, apps, and data.”