"Researchers Find Way to Bypass SMS Codes on Box Accounts"

Researchers with Varonis Threat Labs have discovered a way to circumvent the multi-factor authentication for Box accounts in which SMS text code is used for log-in verification. With this method, an attacker could use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without having to access the victim's phone. The team found that if the user does not navigate to the SMS verification form from Box, an SMS message does not get sent, but a session cookie still gets generated. They said an attacker would only need to enter the user's email address and password, stolen from a password leak or phishing attack, in order to get a valid session cookie. Therefore, an SMS message code is not required. Following the disclosure of the issue to Box via HackerOne on November 2, 2021, Box issued a cloud-based update. The Varonis research is considered significant because 97,000 companies and 68 percent of Fortune 500 companies rely on Box for collaboration and access to information from anywhere. Although multi-factor authentication is known to prevent account takeover, it is not a silver bullet solution because there are ways to bypass it, and not everyone can use it. Varonis has highlighted that malicious actors could make additional authentication tools less effective through compromised user credentials. Organizations are encouraged to implement coverage for mobile phishing attacks to protect against compromised credentials. Doing this will protect users from socially engineered phishing campaigns that give threat actors access to corporate infrastructure, apps, and data. This article continues to discuss the Box multi-factor authentication bypass that leaves accounts open to attack and why this type of authentication is not the ultimate solution. 

SC Magazine reports "Researchers Find Way to Bypass SMS Codes on Box Accounts"