A critical vulnerability in Microsoft Azure's multifactor authentication (MFA) was recently exposed by researchers at Oasis Security, allowing unauthorized access to user accounts in under an hour. This flaw put over 400 million Microsoft 365 seats at risk, as it permitted access to email, OneDrive, Teams, and more without proper authorization.

Discovery of the Flaw

The vulnerability, revealed in a December 11 blog post by Oasis Security, stemmed from the absence of rate limiting on MFA sign-in attempts. Continual failed attempts would not trigger any alerts to account holders, thus making this breach low-profile yet dangerous. Dubbed "AuthQuake," the tactic involved rapidly generating new sessions and testing various code combinations. Each six-digit MFA code permits one million possible combinations, which researchers could quickly exhaust by making high-frequency attempts.

Bypass Mechanics and Disclosure

During their investigation, Oasis researchers found that the timeframe to guess a valid MFA code exceeded the recommended duration by 2.5 minutes. While the Internet Engineering Task Force (IETF) suggests a 30-second expiration for time-based one-time passwords (TOTP), Microsoft systems allowed single codes to remain valid for up to three minutes. This extension upped the odds of successfully guessing a code within this period, significantly raising the potential for unauthorized access. Upon identifying this vulnerability, Oasis promptly informed Microsoft, which acknowledged the issue in June. By October 9, Microsoft implemented a robust fix by imposing a stronger rate limit, which now activates after a certain number of failed attempts and lasts for about half a day to thwart such attacks.

Implications for MFA Security

While MFA remains a cornerstone of securing online accounts, this discovery underscores the necessity for continuous vigilance and improvement. Oasis advocates using authenticator apps or transitioning to passwordless solutions for heightened security. Additionally, organizations should implement alerts for failed MFA attempts and incorporate stringent rate limits to prevent similar vulnerabilities. This revelation serves as a vital reminder that even established security measures need regular scrutiny and updates to protect against evolving cyber threats.

The link has been copied!