Photo credit: www.darkreading.com
A vulnerability in Microsoft Azure’s multifactor authentication (MFA) method enabled researchers to gain unauthorized access to user accounts, including Outlook emails, OneDrive files, Teams chats, and Azure Cloud services, in approximately one hour. This flaw was highlighted by researchers at Oasis Security in a blog post on December 11.
The critical issue stemmed from an absence of rate limiting for failed MFA sign-in attempts, which posed a risk to the security of over 400 million paid Microsoft 365 accounts. The researchers explained that the loophole allowed for rapid testing of authentication codes, thereby potentially leading to account takeovers.
When accessing a Microsoft account, users typically enter their email and password, followed by a code sent via a pre-set MFA method. The Oasis researchers demonstrated a technique they termed “AuthQuake,” which involved quickly generating new sessions and systematically testing multiple codes. This method facilitated an exhaustive guessing of available 6-digit codes, totaling one million possible combinations.
According to Tal Hason, a research engineer at Oasis, the ease and speed of attempting multiple logins simultaneously resulted in significant vulnerabilities, as account owners were not alerted about these suspicious activities. This lack of notification rendered the attack method particularly insidious.
In response to the findings, Oasis reported the issue to Microsoft, which acknowledged the vulnerability in June and implemented a fix by October 9. The resolution involved establishing stricter rate limits after a series of unsuccessful login attempts, significantly enhancing the protection of user accounts.
Ample Time to Guess MFA Code
Another flaw that contributed to the MFA bypass was the extended timeframe available for guessing a code. The attackers had about 2.5 minutes longer than the recommended limit, which violates guidelines set forth by the Internet Engineering Task Force (IETF) in RFC-6238. This document stipulates that codes should expire after 30 seconds, although many applications allow a grace period, leading to potentially unsafe situations.
Hason explained that during his team’s testing, the tolerance allowed for a single TOTP code to remain valid for approximately three minutes, significantly increasing the number of attempts an attacker could make. This extended duration offered a 3% chance of guessing the correct code within the newly allowed timeframe.
With continuous attempts across 24 sessions, an attacker could achieve over a 50% probability of success, highlighting the severity of the vulnerability. Oasis’s trials showed how quickly MFA could be circumvented, underlining key weaknesses that need to be addressed.
Best Practices for Safe MFA
Despite the effectiveness of MFA as a security measure, this incident underscores that no system is impervious to attacks. Oasis Security advises organizations to continue utilizing authenticator applications and adopting robust passwordless methods to bolster account protection.
Long-standing cybersecurity practices still hold; for example, regular password changes remain crucial. Additionally, organizations implementing MFA should send alerts to users regarding failed attempts, which can help flag suspicious activities before any damage occurs. Enhancing these notifications is essential for improving overall security.
Moreover, app developers integrating MFA should ensure their systems incorporate appropriate rate limits to prevent endless login attempts and lock accounts after a certain number of failures, thereby limiting the risk of successful MFA breaches.
Source
www.darkreading.com