A critical vulnerability in Microsoft Azure’s multifactor authentication (MFA) system was recently uncovered by researchers, potentially compromising over 400 million paid Microsoft 365 seats. The flaw, discovered by Oasis Security, allowed unauthorized access to various services like Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. The revelation of this vulnerability sheds light on the importance of robust security measures in safeguarding sensitive information.
The vulnerability stemmed from a lack of rate limiting in the MFA process, enabling attackers to make numerous unsuccessful attempts to sign in without triggering any alerts to the account owner. This flaw, named “AuthQuake” by the researchers, allowed for the rapid generation of new sessions and enumeration of codes, leading to a high rate of attempts that could quickly exhaust the available options for a 6-digit code. This weakness made it possible for malicious actors to gain unauthorized access to a user’s account without detection.
Upon discovery of the issue, Oasis Security promptly informed Microsoft, which acknowledged the vulnerability and implemented a permanent fix by October 9th. The fix involved the introduction of a much stricter rate limit that activates after a certain number of failed attempts, adding an additional layer of protection to prevent unauthorized access.
One of the key factors that facilitated the MFA bypass was the extended timeframe for guessing a single code, exceeding the recommended time frame set by the Internet Engineering Task Force (IETF). This leniency allowed the researchers a 3% chance of correctly guessing the code within the extended timeframe, significantly increasing the success rate of the attack. With each session lasting around 70 minutes, malicious actors could exploit this vulnerability to gain access to sensitive information.
While MFA remains a widely accepted security measure, the incident underscores the importance of implementing best practices to fortify online accounts. Organizations are advised to use authenticator apps or strong passwordless methods to enhance security measures. Additionally, regular password changes and implementing mail alerts for failed MFA attempts are recommended to mitigate the risk of unauthorized access.
Moving forward, it is crucial for organizations to prioritize security measures and adhere to industry best practices when implementing MFA systems. Designers of MFA applications should incorporate rate limits and account lockout mechanisms to prevent abuse and enhance security protocols. By ensuring robust security practices are in place, organizations can effectively safeguard against potential vulnerabilities and strengthen their defense against malicious attacks.