Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Inbox. Show all posts

A Breach on Multi-Factor Authentication Leads to a Box Account Takeover

 



According to new research from Varonis, a vulnerability in Box's implementation of multi-factor authentication (MFA) allows attackers to take over accounts without having access to the victim's phone. Because of the flaw, which was patched in November 2021, an attacker just needed stolen credentials to get access to a company's Box account and steal sensitive information if SMS-based MFA was activated. Users without Single Sign-On (SSO) can further secure their accounts using an authenticator app or SMS for second-factor authentication, according to Box, which says that close to 100,000 firms utilize its platform.

How Does SMS Verification Work in Box?

After providing a username and password in Box's login form, the user is redirected to one of two pages:
  • If the user is enrolled with an authenticator app, a form to enter a time-based one-time password (OTP).
  • If the user has opted to receive a passcode via SMS, a form to enter an SMS code will appear. 
  • A code is delivered to the user's phone when they go to the SMS verification form. To gain access to their Box.com account, they must enter this code. 

When a user attempts to log into a Box account, the platform saves a session cookie and leads to a page where they must enter a time-based one-time password (TOTP) from an authenticator app (at /mfa/verification) or an SMS code (at /2fa/verification). When a user adds an authenticator app to their account, Box provides them a factor ID and the user must enter a one-time password issued by the app in addition to the credentials when logging in. 

Researchers from Varonis revealed that an attacker might circumvent MFA for accounts that had SMS-based MFA enabled by abandoning the SMS-based verification procedure instead of commencing TOTP-based MFA. By combining the MFA modalities, the attacker might gain access to the victim's account by giving a factor ID and code from a Box account and authenticator app that the attacker controls.

The entire talk about required MFA from firms like Salesforce and Google, as well as a White House executive order, is to emphasize that MFA implementations, like any other programming, are prone to flaws. MFA can give the impression of security. Because MFA is enabled, an attacker does not necessarily need physical access to a victim's device to compromise their account.

Google to shut down Google+ and Inbox on April 2





After its social media website Google+, the company has announced that they are now shutting down its Inbox app.

Google will start notifying all its users about the closure of its Inbox from March 18th through a pop-up screen that will pop up every time users will be on the app.

The notification will also include a link to the Gmail app to ensure that it does not disappoint its users. Gmail has recently updated its app with new eye-catching features like Smart Reply, Smart Compose, and Follow-ups.

Now, it is really difficult to find Inbox by Gmail on the Google Play Stores.

The notification released by Google reads:
“This app will be going away in 13 days,” the alert reads. “You can find your favorite inbox features in the Google app. Your messages are already waiting for you.”

While on their official website Google said:

“Inbox is signing off. Find your favorite features in the new Gmail. We are saying goodbye to Inbox at the end of March 2019. While we were here, we found a new way to email with ideas like snooze, nudges, Smart Reply and more. That’s why we’ve brought your favorite features to Gmail to help you get more done. All your conversations are already waiting for you. See you there.”