Box Cloud File Storage and Sharing Service

Main articles:

• Storage System
• SaaS - History. Philosophy. Development Drivers

2022: Vulnerability detection of multi-factor service authentication system

On January 18, 2022, Varonis Systems announced that it had identified a vulnerability in the Box Cloud Storage Multifactor Authentication (MFA) system, which uses additional user verification using SMS messages. This is the second way to bypass MFA in Box, discovered recently . It can be used by attackers to steal and compromise corporate data. At the same time, access to the telephone attacker is not even required.

A large number of organizations choose precisely. cloudy storages So, according to to data Box, 97 thousand enterprises use its service, 68% of them are on the Fortune 500 list. To access data, they can use MFA, implemented using special applications such as Okta Verify Google and Authenticator, or - sms conformations.

Multifactorial, authentication as an additional method, Protecting User Accounts is used by many suppliers. cloud services Box, after entering the login and, password suggests choosing one of the methods for passing the second authentication stage: using an application using LTTE technology, or SMS message. In this case, the code itself is sent in an SMS message only when the user goes to the verification form. Otherwise, the message is not sent, but the Box authentication system still generates a message file cookie that can be intercepted with a malefactor stolen address e-mail and password.

After receiving a cookie, the attacker can redirect the MFA process to a form involving the use of the LTTE. At the same time, the Box security system does not check which method was selected by the user during registration and does not track whether he owns a copy of the application used to obtain a one-time password. This gives hackers the ability to access their account without using the victim's phone.

The algorithm of such an attack can be represented as follows:

• an attacker selects an MFA login through an authenticator application and stores an authentication factor;
• on the account.box.com/login page, he enters his login and password;
• If the combination is correct, the browser sends a new cookie for authentication and redirects the session to the/2fa/verification page.
• the attacker, instead of switching to the form of checking sms-code, transmits his own factor authenticator and code from the application, and accesses the account data. Moreover, the victim does not even send an SMS message.

"Multi-factor user authentication is seen by many companies as a panacea that prevents data security threats. It is enough to recall the mandatory use of MFA in Salesforce and Microsoft services in Russia, for example, they recommend switching to the use of MFA for users of the public services portal. However, the reliability of such a system largely depends on its implementation. Multi-factor authentication can create a false sense of security, but its use does not guarantee that the data is sufficiently secure, " says Daniel Gutman, head of Varonis in Russia.

Varonis believes that using MFA does not exclude the need to use a data-centric approach in ensuring the security of information systems. In any case, the organization needs to monitor both the use of multifactor authentication in its services and the work with the data itself.

In addition, employees responsible for information security should know:

• how much data attackers can access when compromising an account;
• whether the company's data is disclosed to an excessively wide range of users and whether the administrator's security system will notify if it detects abnormal access to them.

Varonis research team previously discovered a way to bypass multifactor authentication for Box service accounts using authenticator applications such as Google Authenticator.

2014: Lifting Limits on Storage Space for Business Subscribers

Provider cloud service Box lifted in July 2014 the limits on the place to store information to all companies signed up for the Business plan, one step lower than Enterprise.

Box has been offering unlimited storage space for Enterprise customers since 2010 (recently, the price for this subscription starts at $35 per user per month). So far, Busines had a limit of 1,000 gigabytes, and the subscription price was $15 per user per month. All current and future Business Plan customers are now offered unlimited storage space .

2013

The Box service, which can be used from browsers and mobile applications for all major platforms, is designed for enterprises of all sizes. According to the information for 2013, Box intends to expand and improve the tools available in it for joint work on documents.

2012: Service Capabilities

As of November 2012, the service offered the following features:

• Free storage: 5 GB

• Additional space: Personal account, 25 GB per 9.99 dollars per month; 50 GB for $19.99 a month. Business version: $15 per user per month, from 3 to five hundred users; 1TB, shared with password protection, access control, and user rights. Corporate account: individual charging, unlimited space, consumer branding and group access management tools.

• Read more: offers 256-bit SSL and AES encryption and firewall. In business versions, and enterprise accounts, files are encrypted using automatic redundancy. Maximum file size: 100 MB in free accounts, 1 GB in paid personal accounts; in business versions - 2 GB files. Box allows you to edit documents in the cloud using third-party applications such as Zoho.