Varonis discovers MFA bypass for Box accounts

Varonis Threat Labs has discovered a multi-factor authentication (MFA) bypass vulnerability for Box accounts that use an SMS code for login verification.

Varonis reported the MFA bypass flaw to Box back in November 2, 2021 via HackerOne. Box subsequently fixed the issue.

“Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone,” Varonis wrote in the blog post.

Moreover, Varonis further demonstrated two application flaws that an attacker could abuse to access a victim’s MFA-enabled account with just a username and password.