Original Post: Bypassing Box’s Time-based One-Time Password MFA
This vulnerability was analyzed during Episode 105 on 06 December 2021
A partially authentication user could remove MFA from their account. During the login process when enrolled in the MFA program, a user who logged in with the correct credentials, but had not yet provided the MFA token could access the /mfa/unenrollment endpoint and remove MFA from the account.