SUMMARY
- Dubbed AuthQuake; the flaw in Microsoft MFA allowed attackers to bypass security measures and access accounts.
- Vulnerability impacted Azure, Office 365, and other Microsoft services with over 400 million users at risk.
- Exploit leveraged the lack of rate limiting and extended validity of TOTP codes for login sessions.
- Attackers could bypass MFA in under 70 minutes with a 50% success rate without user interaction.
- Microsoft patched the flaw permanently on October 9, 2024, with stricter rate-limiting mechanisms.
Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake, which allows attackers to bypass security measures and gain unauthorized access to user accounts.
With over 400 million paid Office 365 subscriptions, the vulnerability could be a highly lucrative opportunity for cyber criminals to steal sensitive information such as emails, files, and communications across Microsoft’s platforms like Outlook, OneDrive, Teams, Azure, etc.
Exploiting Rate Limit and Time-Based One-Time Password (TOTP)
The exploit takes advantage of two key weaknesses in the MFA setup: Lack of Rate Limiting and Extended Timeframe for TOTP Codes. When users log in, they’re assigned a session ID and asked to verify their identity using a Time-Based One-Time Password (TOTP) from an authenticator app. The problem is that the system permits up to 10 failed login attempts per session without notifying the user or triggering any alerts.
The lack of rate limiting allows attackers to quickly create new login sessions and trial multiple TOTP codes, which are essentially six-digit numbers. Given that there are a million possible combinations for these codes, an attacker could theoretically exhaust all options without encountering any security measures.
On the other hand, TOTP codes are typically valid for only 30 seconds, the testing conducted by Oasis revealed that the system allowed codes to remain valid for up to 3 minutes. This extended time frame significantly increases the chances of success for an attacker attempting to guess the correct code.
Result?
According to Oasis Security’s blog post shared with Hackread.com ahead of its publishing on Wednesday, December 11, researchers concluded that attackers could bypass MFA in under 70 minutes with a 50% success rate, all without any user interaction or alerts. Here’s a demonstration the researchers created while testing the exploit themselves:
Microsoft’s Response
Oasis Security reported the incident to Microsoft. The tech giant was quick to respond and implemented a permanent fix on October 9, 2024, after a temporary fix was deployed on July 4, 2024. The fix involved introducing stricter rate limits that activate after a number of failed attempts, lasting for about half a day.
Jason Soroko, Senior Fellow at Sectigo, emphasizes the broader implications of this discovery stating, “AuthQuake highlights significant flaws in Microsoft’s MFA implementation. It’s a wake-up call for organizations to adopt patches and reconsider their reliance on outdated MFA solutions. The move towards passwordless authentication is not just a trend but a necessity for future-proofing our security measures.“
Lesson for Users and Companies
While the specific flaw has been patched, organizations should inform employees about the importance of cybersecurity and encourage them to report any suspicious login attempts. Moreover, despite the recent issues, MFA remains a critical security measure therefore, use authenticator apps or explore stronger passwordless methods for added protection.
