Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Bypassing Box's Time-based One-Time Password MFA

The Varonis research team discovered a way to bypass Box's Time-based One-Time Password MFA for Box accounts that use authenticator applications.
Tal Peleg
2 min read
Published December 2, 2021
Last updated June 12, 2023

The Varonis research team discovered a way to bypass multi-factor authentication for Box accounts that use authenticator apps such as Google Authenticator.

Using the technique demonstrated below, an attacker could use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without providing a one-time password.

We disclosed this issue to Box on November 3rd via HackerOne and the team has since released a fix.

Background

In January 2021, Box launched the ability for accounts to use TOTP-based authenticator apps such as Google Authenticator, Okta Verify, Authy, Duo, and others, and others.

Box recommends TOTP over SMS-based authentication for obvious reasons-SMS messages can be hijacked via SIM swapping, port-out fraud, and other well-known techniques.

Authenticator apps that comply with the TOTP (time-based one-time password) algorithm are not only easier for the end-user, but much safer than SMS. Usually.

How does Box MFA work?

When a user adds an authenticator app to their Box account, the app is assigned a factor ID behind the scenes. Any time that user tries to login, Box prompts the user for their email and password followed by a one-time password from their authenticator app.

If the user doesn't provide the second factor, they won't be able to access the files and folders in their Box account. This provides a second line of defense in the event a user has a weak (or leaked) password.

What's the issue?

Our team discovered that the /mfa/unenrollment endpoint did not require the user to be fully authenticated in order to remove a TOTP device from a user's account. As a result, we were able to successfully unenroll a user from MFA after providing a username and password but before providing the second factor.

After performing the unenrollment action, we were able to login without any MFA requirements and gain full access to the user's Box account, including all their files and folders. Prior to Box's fix, attackers could compromise user accounts via credential stuffing, brute force, etc.

See the attack in action:

Attack Flow

1. The attacker enters a user's email address and password on account.box.com/login

2. If the password is correct, the attacker's browser is sent a new authentication cookie that grants access to a limited set of endpoints, including the /mfa/unenrollment endpoint

3. Instead of passing a valid one-time password from an authenticator app to the /mfa/verification endpoint, the attacker POSTs the device's factor ID to the /mfa/unenrollment endpoint and successfully unenrolls the device/user account combo from TOTP-based MFA

4. The attacker can now login again using single-factor authentication and gain full access to the user's account and their data

Takeaways

MFA is a step towards a safer internet and more resilient authentication for the SaaS apps we rely on, but MFA isn't perfect. There has been a massive push towards TOTP-based MFA, but if there are any flaws in its implementation, it can be bypassed.

Although nobody is immune to bugs and vulnerabilities, to minimize the likelihood of introducing an authentication flaw into your application, it's highly recommended to delegate your MFA implementation to a provider (e.g., Okta) that specializes in authentication.

The above example is simply one bypass technique for one SaaS platform. Many more exist-some of which we'll publish soon. Robust authentication is just one layer of defense. It's vital to take a defense-in-depth approach that assumes breach, especially if you're concerned about insider threats.

Finally, your security is only as good as your weakest link. In addition to requiring MFA, use SSO where possible, enforce strong password policies, monitor sites like HaveIBeenPwnd for breached accounts associated with your domain, and avoid using easy-to-find answers ("What's your mother's maiden name?") as part of your authentication flows.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

data-breach-response-times:-trends-and-tips
Data Breach Response Times: Trends and Tips
We've taken a deep dive to discover the trends between different data breaches, their response times, the effect of response duration and what you can do to keep your response time down.
mixed-messages:-busting-box’s-mfa-methods
Mixed Messages: Busting Box’s MFA Methods
Varonis Threat Labs discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification.
threat-update-56-–-sso-imposter:-targeting-box
Threat Update 56 – SSO Imposter: Targeting Box
In the final part of the series, Kilian Englert and Ryan O’Boyle from the Varonis Cloud Architecture team walk through how attackers could target Box. They investigate how an attacker…
top-5-remote-work-security-threats
Top 5 Remote Work Security Threats
COVID-19 threw us all a curveball, and attackers are rushing to take advantage of the increased attack surface. Varonis can help protect your remote workforce and data now and in better times.