20. January 2022

This article has been indexed from

CySecurity News – Latest Information Security and Hacking Incidents

According to new research from Varonis, a vulnerability in Box’s implementation of multi-factor authentication (MFA) allows attackers to take over accounts without having access to the victim’s phone. Because of the flaw, which was patched in November 2021, an attacker just needed stolen credentials to get access to a company’s Box account and steal sensitive information if SMS-based MFA was activated. Users without Single Sign-On (SSO) can further secure their accounts using an authenticator app or SMS for second-factor authentication, according to Box, which says that close to 100,000 firms utilize its platform.

How Does SMS Verification Work in Box?

After providing a username and password in Box’s login form, the user is redirected to one of two pages:

If the user is enrolled with an authenticator app, a form to enter a time-based one-time password (OTP). If the user has opted to receive a passcode via SMS, a form to enter an SMS code will appear.  A code is delivered to the user’s phone when they go to the SMS verification form. To gain access to their Box.com account, they must enter this code. 

When a user attempts to log into a Box account, the platform saves a session cookie and leads to a page where they must enter a time-based one-time password (TOTP) from an authenticator app (at /mfa/verification

[…]

Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: