Featured content
-1.png)
-
Nov 15, 2022
Varonis Threat Labs Discovers SQLi and Access Flaws in Zendesk
Varonis Threat Labs found a SQL injection vulnerability and a logical access flaw in Zendesk Explore, the reporting and analytics service in the popular customer service solution, Zendesk.
Tal Peleg
3 min read
-
May 11, 2022
Spoofing SaaS Vanity URLs for Social Engineering Attacks
Many SaaS applications offer what’s known as vanity URLs — customizable web addresses for landing pages, file-sharing links, etc. Vanity URLs allow you to create a personalized link that looks like this:
Tal Peleg
6 min read
-
Jan 18, 2022
Mixed Messages: Busting Box’s MFA Methods
Varonis Threat Labs discovered a way to bypass multi-factor authentication (MFA) for Box accounts that use an SMS code for login verification. Using this technique, an attacker could use stolen credentials to compromise an organization’s Box account and exfiltrate sensitive data without access to the victim’s phone. We disclosed this issue to Box on November 2, 2021 via HackerOne and Box released a fix. Sound familiar? This is the second Box MFA bypass we’ve discovered recently. You can read about our authenticator-based MFA bypass.
Tal Peleg
3 min read
-
Dec 02, 2021
Bypassing Box's Time-based One-Time Password MFA
The Varonis research team discovered a way to bypass multi-factor authentication for Box accounts that use authenticator apps such as Google Authenticator.
Tal Peleg
2 min read