Cybersecurity researchers have flagged a “critical” safety vulnerability in Microsoft’s multi-factor authentication (MFA) implementation that permits an attacker to trivially sidestep the safety and acquire unauthorized entry to a sufferer’s account.
“The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble,” Oasis Safety researchers Elad Luz and Tal Hason mentioned in a report shared with The Hacker Information.
Following accountable disclosure, the problem – codenamed AuthQuake – was addressed by Microsoft in October 2024.
Whereas the Home windows maker helps varied methods to authenticate customers by way of MFA, one methodology includes getting into a six-digit code from an authenticator app after supplying the credentials. As much as 10 consequent failed makes an attempt are permitted for a single session.
The vulnerability recognized by Oasis, at its core, issues an absence of charge restrict and an prolonged time interval when offering and validating these one-time codes, thereby permitting a malicious actor to quickly spawn new periods and enumerate all doable permutations of the code (i.e., a million) with out even alerting the sufferer in regards to the failed login makes an attempt.
It is value noting at this level that such codes are time-based, additionally known as time-based one-time passwords (TOTPs) whereby they’re generated utilizing the present time as a supply of randomness. What’s extra, the codes stay energetic just for a interval of about 30 seconds, after which they’re rotated.
“However, due to potential time differences and delays between the validator and the user, the validator is encouraged to accept a larger time window for the code,” Oasis identified. “In short, this means that a single TOTP code may be valid for more than 30 seconds.”
Within the case of Microsoft, the New York-based firm discovered the code to be legitimate for so long as 3 minutes, thus opening the door to a state of affairs the place an attacker may make the most of the prolonged time window to provoke extra brute-force makes an attempt concurrently to crack the six-digit code.
“Introducing rate-limits and making sure they are properly implemented is crucial,” the researchers mentioned. “Rate limits might not be enough, in addition – consequent failed attempts should trigger an account lock.”
Microsoft has since enforced a stricter charge restrict that will get triggered after a lot of failed makes an attempt. Oasis additionally mentioned the brand new restrict lasts round half a day.
“The recent discovery of the AuthQuake vulnerability in Microsoft’s Multi-Factor Authentication (MFA) serves as a reminder that security isn’t just about deploying MFA – it must also be configured properly,” James Scobey, chief data safety officer at Keeper Safety, mentioned in a press release.
“While MFA is undoubtedly a powerful defense, its effectiveness depends on key settings, such as rate limiting to thwart brute-force attempts and user notifications for failed login attempts. These features are not optional; they are critical for enhancing visibility, allowing users to spot suspicious activity early and respond swiftly.”
