2025-02-05 11:07:53 Pacfic
Microsoft Azure MFA Bypass Vulnerability - 3d
A critical vulnerability has been discovered in Microsoft's Multi-Factor Authentication (MFA) system, potentially allowing attackers to bypass security measures and gain unauthorized access to Office 365 accounts. The vulnerability, uncovered by Oasis Security, exploited a lack of rate limiting on session creation and a tolerance for time variations in Time-based One-Time Password (TOTP) codes. This flaw enabled attackers to brute-force MFA codes within a 70 minute window. Attackers could rapidly create new sessions and attempt numerous codes, effectively bypassing the MFA security.
The bypass required no user interaction and alarmingly, it did not generate any notifications, leaving the account holder unaware of the breach attempts. Microsoft has since implemented a stricter rate limit to mitigate the vulnerability. The original flaw allowed up to 10 failed attempts, with a single code valid for around 3 minutes due to tolerance for time differences. This extended window increased the chance of guessing a valid code and compromising the account. Microsoft has worked with the discovering organization to resolve the flaw.
ImgSrc: cloudsecurityalliance.org
References:
- cloudsecurityalliance.org - This article describes the vulnerability in detail and Microsoft's response to fix it. - 4d
- www.infosecurity-magazine.com - Infosecurity Magazine reported on Oasis Security's discovery of the critical vulnerability in Microsoft's MFA, explaining the exploit and Microsoft's response. - 4d
Classification:
- HashTags: Microsoft MFABypass Vulnerability
- Company: Microsoft
- Target: Office 365 accounts
- Product: Microsoft Azure MFA
- Feature: Multi-Factor Authentication (M
- Type: Vulnerability
- Severity: Major