About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bypassing Box’s Time-based One-Time Password MFA- 698

Tal Peleg - VaronisPosted 4 Years Ago
  • Sometimes, a username and password alone is not enough for security. In high sensitivity areas, additional levels of security are necessary. So, another way to demonstrate that someone owns an account is required; this is commonly called MFA (multi-factor authentication).
  • The Google Authenticator app and SMS text messages are common ways to do this. An attacker being able to bypass MFA is quite bad if they already have the username and password.
  • The bypass is quite simple: remove the MFA. Once the user is in a partially authenticated state (such as when they log in), the /mfa/unenrollment endpoint can be used to remove the MFA.
  • To remediate this, the user needs to be completely authenticated to remove the MFA. The author also mentions using a SaaS app to do MFA instead to avoid these types of issues.
  • In terms of testing, partially authenticated spaces are interesting to test. Most APIs use authorization between users and authentication as ONLY if the user is who they say they are. This API simply did not consider the case where a user had logged in with only the username/password. This is a good place to test at!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed