About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Mixed Messages: Busting Box’s MFA Methods- 763

Tal Peleg - VaronisPosted 4 Years Ago
  • Multi Factor Authentication (MFA) is using a second form of authentication after the standard username and password. This is commonly a text message with a code or a TOTP app like Google Authenticator.
  • Box allowed for SMS messages and an TOTP MFA process. There is a insecure direct object reference (IDOR) on the the TOTP verification flow. An attacker could include their factor ID (app ID) and the code from their app to authenticate. Yikes!
  • The second bug in this was that the user being authenticated did not need to have the TOTP flow enabled; only the SMS flow was required. By initiating the SMS flow, grabbing the cookie for the user and sending the request to the TOTP endpoint with the bug above, this vulnerability could be exploited.
  • The authors explains the bug as being mixing MFA modes. Although this is true, I assume that this bug would still be valid even if the user had TOTP on. However, this is not explicitly stated in the article. Overall, good bug find!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed