info@thehackernews.com (The Hacker News)
2024-12-11 09:32:00
thehackernews.com
Cybersecurity researchers have flagged a “critical” security vulnerability in Microsoft’s multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victim’s account.
“The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble,” Oasis Security researchers Elad Luz and Tal Hason said in a report shared with The Hacker News.
Following responsible disclosure, the issue – codenamed AuthQuake – was addressed by Microsoft in October 2024.
While the Windows maker supports various ways to authenticate users via MFA, one method involves entering a six-digit code from an authenticator app after supplying the credentials. Up to 10 consequent failed attempts are permitted for a single session.
The vulnerability identified by Oasis, at its core, concerns a lack of rate limit and an extended time interval when providing and validating these one-time codes, thereby allowing a malicious actor to rapidly spawn new sessions and enumerate all possible permutations of the code (i.e., one million) without even alerting the victim about the failed login attempts.
It’s worth noting at this point that such codes are time-based, also referred to as time-based one-time passwords (TOTPs) wherein they are generated using the current time as a source of randomness. What’s more, the codes remain active only for a period of about 30 seconds, after which they are rotated.
“However, due to potential time differences and delays between the validator and the user, the validator is encouraged to accept a larger time window for the code,” Oasis pointed out. “In short, this means that a single TOTP code may be valid for more than 30 seconds.”
In the case of Microsoft, the New York-based company found the code to be valid for as long as 3 minutes, thus opening the door to a scenario where an attacker could take advantage of the extended time window to initiate more brute-force attempts simultaneously to crack the six-digit code.
“Introducing rate-limits and making sure they are properly implemented is crucial,” the researchers said. “Rate limits might not be enough, in addition – consequent failed attempts should trigger an account lock.”
Microsoft has since enforced a stricter rate limit that gets triggered after a number of failed attempts. Oasis also said the new limit lasts around half a day.
“The recent discovery of the AuthQuake vulnerability in Microsoft’s Multi-Factor Authentication (MFA) serves as a reminder that security isn’t just about deploying MFA – it must also be configured properly,” James Scobey, chief information security officer at Keeper Security, said in a statement.
“While MFA is undoubtedly a powerful defense, its effectiveness depends on key settings, such as rate limiting to thwart brute-force attempts and user notifications for failed login attempts. These features are not optional; they are critical for enhancing visibility, allowing users to spot suspicious activity early and respond swiftly.”
Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.
Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.
Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.