Box has patched a flaw in its SMS-based two-factor authentication (MFA), just weeks after its temporary one-time password (TOTP)-based MFA was found to have vulnerabilities too.
Once known, the vulnerability is extremely easy for an unsophisticated attacker to exploit. Attackers could compromise any Box user just by knowing or guessing their username and password rendering MFA useless.
Box, along with many other applications, allows users without SSO to use a one-time passcode sent via SMS as a second step in authentication. When a username and password are recorded in Box’s login form, its sets up a session cookie and redirects the user to enter either a temporary one-time password for use with an authenticator app, or an SMS code that can be used to gain access to their Box.com account.
if the user doesn’t navigate to the SMS verification form, no SMS message will be sent, but a session cookie is still generated and a malicious actor in possession of the user’s email and password only needs to enter them to get a valid session cookie. No SMS message code is required.
Once the cookie is generated, the attacker can abandon the SMS-based MFA process and instead initiate the TOTP-based process, posting a factor ID and code from their own Box account and authenticator app to the TOTP verification endpoint using the session cookie.
Box didn’t verify whether the victim was enrolled in TOTP verification, or validate that the authenticator app used belonged to the user that was logging in. To log in, users need to enter their email and password, followed by a one-time password from their authenticator app. However, it’s been found that the user didn’t need to be fully authenticated to remove a TOTP device from a user’s account.
This allowed the researchers to successfully unenroll a user from MFA after providing a username and password but before providing the second factor. They could then log in without any MFA requirements and gain full access to the user’s Box account.