No User Interaction, No Alerts: Azure MFA Cracked in an Hour
This Christmas, be prepared for a cybersecurity riddle that might leave you speechless. Imagine finding a riddle in your cracker asking, “What takes an hour to execute, requires no user interaction, and doesn’t generate any notifications?” The answer? A critical vulnerability found in Microsoft’s Multi-Factor Authentication (MFA) implementation.
A recent report from Oasis Security’s research team has exposed a serious vulnerability in Microsoft’s MFA, detailing how attackers exploited weaknesses to gain unauthorized access to user accounts.
Bypassing MFA: A Time-Delay Conundrum
The vulnerability stemmed from a lack of rate limiting and an extended timeframe for validating Time-Based One-Time Password (TOTP) codes generated by Microsoft’s Authenticator app.
Here’s how the attack worked:
- The app generates a six-digit code based on a shared secret and the current time, with a new code every 30 seconds.
- Users enter this code after entering their username and password.
- The code is sent to Microsoft for verification, with a limit of ten consecutive fails allowed per session.
However, this ten-attempt limit only applied to the temporary session objective. Delays from different time zones and between the validator and the user created a larger window for attack.
Oasis Security’s research found that Microsoft’s vulnerability displayed a tolerance of around three minutes for a single code, two and a half minutes longer than the recommended 30-second timeframe. This extended window allowed attackers six times more attempts than usual.
Multiple, Simultaneous Attempts: Flooding the System
The team also demonstrated how attackers could rapidly create new sessions, enabling multiple simultaneous attempts to crack the six-digit code. During this time, account owners received no alerts about the numerous failed attempts.
Microsoft Takes Action: A Timely Response
Oasis Security immediately alerted Microsoft about the vulnerability, working closely with them to quickly implement a solution. Microsoft updated its system with stricter rate limiting measures and released a blog post detailing the incident and providing guidance for organizations using MFA.
Alarm Bells Ring: A Wake-Up Call for Businesses
This incident caused a stir in the cybersecurity community, highlighting the need for organizations to review their own MFA implementations. Many experts believe MFA should not be considered a state-of-the-art security measure but rather a minimum requirement. Jason Soroke, Senior Fellow at Sectigo, called the findings “a wake-up call,” while Kris Bondi, CEO and Co-Founder of Mimoto emphasized the importance of continuous monitoring alongside MFA implementation. James Scobey, Chief Information Security Officer at Keeper Security, stressed the importance of proper configuration, including features like rate limiting and user notifications for failed login attempts.
The Importance of Staying Vigilant
This incident serves as a reminder that even the most robust security systems can have vulnerabilities. While MFA provides a crucial layer of protection, it’s essential to remain vigilant and take steps to