BOX Authentication Bypass

Researchers have helped fix an issue with Box that could have been exploited to bypass MFA for accounts that relied on authenticator apps such as Google Authenticator.

The popular cloud storage company was alerted by researchers after they found a relatively simple workaround to use stolen credentials to log into a Box account without providing a time-based one-time password (TOTP).

Box allowed users access to some areas of the account after verifying their login credentials, but before entering the TOTP. They demonstrated a mechanism that allowed them to unenroll a user from MFA after providing a username and password but before providing the second factor.

MFA is a step towards a safer internet and more resilient authentication for the SaaS apps we rely on, but MFA isn’t perfect. There has been a massive push towards TOTP-based MFA, but if there are any flaws in its implementation, it can be bypassed.

While demonstrating the workflow for bypassing TOTP to log into a compromised account, the researchers also took the opportunity to make a few suggestions for businesses looking to introduce MFA.

In addition to requiring MFA, businesses must also use SSO wherever possible. They also ask businesses to enforce strong password policies, avoid using questions with easy-to-find answers as part of their authentication flows, and keep their eyes peeled for breached passwords from their domain on sites like HaveIBeenPwnd.