Box 2FA Bypass Opens User Accounts to Attack

Box 2FA Bypass Opens User Accounts to Attack-01

A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.

A security hole In Box, the cloud-based file-sharing service, paved the way for busting its multifactor authentication (MFA), researchers said – and it’s the second such MFA bypass they have discovered in the service so far.

Varonis Threat Labs researchers said the bypass worked on accounts that used one-time SMS codes for two-factor authentication (2FA) verification. In a proof-of-concept exploit, they were able to achieve the bypass by stealing a session cookie.

The first bypass the researchers discovered worked on authenticator-based MFA.

Read More:

For more such updates follow us on Google News ITsecuritywire News