Multi-factor authentication (MFA) is often considered a robust security measure. However, a recent discovery by Oasis Security researchers discovered a critical vulnerability in Microsoft MFA. This exploit allowed attackers to gain unauthorized access to accounts and applications based on Microsoft Cloud.
Table of Contents
The Vulnerability
- The Flaw in Action: Normally, when you log in, you provide your password, and then a six-digit code from an authentication app is required to complete the login. But, research team exploited a system loophole where they could keep trying codes by creating new login sessions. They essentially “guessed” the codes faster than the system could catch them.
- Extended Code Validity: Normally, an MFA code expires after 30 seconds. But this flaw allowed hackers to use the same code for up to 3 minutes.
Impact on Users
Hackers could:
- Access emails in Outlook (e.g., sensitive business communications).
- View personal and work files in OneDrive.
- Intercept private conversations in Teams.
- Gain unauthorized access to cloud resources in Azure.
Microsoft quickly addressed the issue:
Microsoft acknowledge the issue in June 2024 and deployed a temporary fix. Later, fixed it permanently.
- Rate Limits: They limited the number of code attempts allowed within a specific time.
- Temporary Fixes: Deployed immediately to block ongoing attacks.
- Permanent Solutions: Introduced by October 2024, ensuring the vulnerability could not be exploited again.
What Can You Do?
While this specific issue has been resolved, here are steps to protect yourself:
- Enable MFA Everywhere:
Always use MFA for accounts, as it adds a significant security layer. Even with rare vulnerabilities, it’s much safer than relying on passwords alone. - Monitor Login Alerts:
Set up notifications for failed login attempts. This can help detect suspicious activity early. - Use Strong Passwords:
Combine MFA with unique, strong passwords to make it harder for hackers to compromise your accounts.
While technology can have flaws, you should stay informed and proactive to keep your digital life safe.
For more details, read the Oasis Security report here.
Leave a comment