A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.
A security hole In Box, the cloud-based file-sharing service, paved the way for busting its multifactor authentication (MFA), researchers said – and it’s the second such MFA bypass they have discovered in the service so far.
Varonis Threat Labs researchers said the bypass worked on accounts that used one-time SMS codes for two-factor authentication (2FA) verification. In a proof-of-concept exploit, they were able to achieve the bypass by stealing a session cookie.
The first bypass the researchers discovered worked on authenticator-based MFA.
Read More: https://threatpost.com/box-2fa-bypass-accounts-attack/177760/
For more such updates follow us on Google News ITsecuritywire News
