Critical 2FA bypass vulnerability in Box cloud management software

Cloud infrastructure management firm Box confirmed that its security teams are addressing a flaw in its SMS-based two-factor authentication (2FA) system after a report detailing a hacking technique that would allow hackers to use stolen login credentials to access accounts on Box and extract sensitive information, rendering 2FA useless.

Like other similar platforms, Box allows users to log in by entering a one-time passcode, sent via SMS. When a username and password is registered in the Box login form, the platform sets a session cookie and redirects the user to enter a temporary password to use with an authenticator app or SMS code that can be used to gain access to the Box.com account.

The problem arises when the user does not navigate to the SMS verification form, since in this case no SMS message will be sent but a session cookie will be generated, which threat actors with knowledge of the email address and password of the affected user could exploit to obtain a valid session cookie,  evading the 2FA authentication mechanism.

By obtaining the valid cookie, hackers could initiate a TOTP-based authentication process, posting a factor ID and code from their own Box account and authenticator app on the TOTP verification endpoint using the session cookie. The application does not verify whether the victim was enrolled in the TOTP verification nor does it validate that the authentication application used actually belongs to the user.

This report comes after a specialist reported that Box’s TOTP-based 2FA was also vulnerable to exploitation. To log in, users must enter their email address and password, plus a one-time password from their authenticator app. At that time, the expert found that the user did not have to be fully authenticated to remove a TOTP device from the user account.

This attack would have made it possible to successfully cancel a 2FA user’s enrollment after providing a username and password, but before providing the second factor. They could then log in without any 2FA requirements and gain full access to the user’s Box account.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.