{"id":1196,"date":"2024-12-11T13:01:10","date_gmt":"2024-12-11T13:01:10","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1196"},"modified":"2024-12-11T13:01:10","modified_gmt":"2024-12-11T13:01:10","slug":"microsoft-secretly-stopped-actors-from-snooping-on-your-mfa-codes","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1196","title":{"rendered":"Microsoft secretly stopped actors from snooping on your MFA codes"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Microsoft may have silently fixed a problem with its MFA implementation that attackers could have used to gain access to Outlook, OneDrive, Teams, and Azure accounts without any user interaction.<\/p>\n

AuthQuake, as the cybersecurity firm Oasis calls it, was a configuration oversight that increased brute force accuracy by 50% for threat actors trying to guess MFA<\/a> authentication codes.<\/p>\n

According to Oasis Security, which discovered and reported<\/a> the bug to Microsoft in June, it is a combination of two errors: a lack of rate limiting and an extended timeframe for validating Time-Based One-Time Password (TOTP) codes.<\/p>\n

\u201cThe bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble,\u201d Oasis said in a report.<\/p>\n

While the bug wasn\u2019t ever publicly disclosed, Oasis said it was promptly acknowledged and patched by Microsoft by October. \u201cWe appreciate the partnership with Oasis security in responsibly disclosing this issue. We have already released an update and no customer action is required,\u201d a Microsoft spokesperson said. \u201cWe have monitoring in place to detect this type of abuse and have not seen any evidence this technique has been used against our customers.\u201d<\/p>\n

\u201cThe latest report from Oasis Security on the discovery of AuthQuake highlights significant problems with MFA overall,\u201d said Kris Bondi, chief executive officer and co-founder of Mimoto<\/a>, a San Francisco, Calif.-based end-to-end recognition company.<\/strong> \u201cWhen MFA is compromised, it quickly switches from a security tool to a significant attack vector. By gaining access to accounts of the 400 million paid users of Office 365, bad actors would be able to stealthily perform reconnaissance to find the most valuable systems and data.\u201d<\/p>\n

<\/a>Lack of rate limiting simplified brute force<\/h2>\n

When users access Microsoft\u2019s login pages, they are assigned a session identifier. After entering valid credentials, they must further verify their identity through MFA, with multiple options including verification codes generated by the Microsoft Authenticator app. On the app, users input a 6-digit code to complete authentication, with up to 10 failed attempts allowed per session.<\/p>\n

The vulnerability stems from the ability to generate multiple requests simultaneously using the same session parameters.<\/p>\n

\u201cThe limit of 10 consequent fails was only applied to the temporary session object, which can be regenerated with not enough of a rate limit,\u201d Oasis explained. \u201cSimply put\u2013one could execute a lot of attempts simultaneously.\u201d<\/p>\n

The Oasis research team showed that by rapidly creating new sessions and enumerating codes, attackers could attempt combinations at a high rate, quickly exhausting all one million possible 6-digit codes. During these attack attempts, account owners received no alerts about the numerous failed attempts, making this vulnerability highly stealthy and dangerous.<\/p>\n

\u201cThe recent discovery of the AuthQuake vulnerability in Microsoft\u2019s Multi-Factor Authentication (MFA) serves as a reminder that security isn\u2019t just about deploying MFA \u2013 it must also be configured properly,\u201d said James Scobey, chief information security officer at Keeper Security<\/a>. \u201cWhile MFA is undoubtedly a powerful defense, its effectiveness depends on key settings, such as rate limiting to thwart brute-force attempts and user notifications for failed login attempts.\u201d<\/p>\n

Extended timeframe adds icing on the top<\/h2>\n

Authenticator app codes follow time-based one-time-password (TOTP) guidelines<\/a>, generating a new code every 30 seconds, with a slight extension allowing for time discrepancies between users and validators.<\/p>\n

Oasis Security\u2019s testing found that Microsoft\u2019s sign-in system permits codes to remain valid for about as long as three minutes, extending the window for attack attempts.<\/p>\n

This extended window gives attackers a 3% chance of guessing the code correctly per attempt. After about 24 sessions, they could have over a 50% chance of success, Oasis noted.<\/p>\n

\u201cAuthQuake exposes significant flaws in Microsoft\u2019s MFA implementation, revealing an important fact,\u201d said Jason Soroko, Senior Fellow at Sectigo<\/a>, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). \u201cAuthentication systems based on shared secrets are inherently vulnerable. This discovery is a wake-up call. Organizations must act to adopt patches and reconsider their reliance on outdated MFA solutions.\u201d<\/p>\n

<\/a>Microsoft quietly fixed the misconfiguration<\/h2>\n

While AuthQuake is being considered a critical vulnerability by experts, it is unclear if it received any enumeration post-discovery. There is no entry for the vulnerability in the NIIST-managed national vulnerability database (NVD).<\/p>\n

Microsoft did, indeed, take the flaw seriously as it reportedly fixed the flaw in October. \u201cMicrosoft applied their final fix this October,\u201d said Elad Luz, head of research at Oasis Security. \u201cWe can confirm their fix addressed the flaws we discussed.\u201d While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts, the strict limit lasts around half a day, Oasis added in the report.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Microsoft may have silently fixed a problem with its MFA implementation that attackers could have used to gain access to Outlook, OneDrive, Teams, and Azure accounts without any user interaction. AuthQuake, as the cybersecurity firm Oasis calls it, was a configuration oversight that increased brute force accuracy by 50% for threat actors trying to guess […]<\/p>\n","protected":false},"author":0,"featured_media":1178,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1196"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1196"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1196\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1178"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}