Researchers Crack Microsoft Azure MFA in an Hour
A critical flaw in the company's rate limit for failed sign-in attempts allowed unauthorized access to a user account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.
December 11, 2024
Researchers cracked a Microsoft Azure method for multifactor authentication (MFA) in about an hour, due to a critical vulnerability that allowed them unauthorized access to a user's account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.
Researchers at Oasis Security discovered the flaw, which was present due to a lack of rate limit for the amount of times someone could attempt to sign in with MFA and fail when trying to access an account, they revealed in a blog post on Dec. 11. The flaw exposed the more than 400 million paid Microsoft 365 seats to potential account takeover, they said.
When signing into a Microsoft account, a user supplies their email and password and then selects a pre-configured MFA method. In the case used by the researchers, they are given a code by Microsoft via another form of communication to facilitate sign-in.
The researchers achieved the bypass, which they dubbed "AuthQuake," by "rapidly creating new sessions and enumerating codes," Tal Hason, an Oasis research engineer, wrote in the post. This allowed them to demonstrate "a very high rate of attempts that would quickly exhaust the total number of options for a 6-digit code," which is 1 million, he explained.
"Simply put — one could execute many attempts simultaneously," Hason wrote. Moreover, during the multiple failed attempts to sign in, account owners did not receive any alert about the activity, "making this vulnerability and attack technique dangerously low profile," Hason wrote.
Oasis informed Microsoft of the issue, which acknowledged its existence in June and fixed it permanently by Oct. 9, the researchers said. "While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts; the strict limit lasts around half a day," Hason wrote.
Ample Time to Guess MFA Code
Another issue that allowed for the MFA bypass was that the available timeframe an attacker had to guess a single code was 2.5 minutes longer than the recommended timeframe for a time-based one-time password (TOTP) according to RFC-6238, the Internet Engineering Task Force (IETF) recommendation for implementing MFA authentication.
RFC-6238 recommends that a code expires after 30 seconds; however, most MFA applications provide a short grace period and allow these codes to be valid longer.
"This means that a single TOTP code may be valid for more than 30 seconds," Hason explained. "The Oasis Security Research team's testing with Microsoft sign-in showed a tolerance of around three minutes for a single code, extending 2.5 minutes past its expiry, allowing 6x more attempts to be sent."
This extra time meant that the researchers had a 3% chance of correctly guessing the code within the extended timeframe, Hason explained. A malicious actor trying to crack the code would have been likely to proceed and run further sessions until they hit a valid guess, which the researchers proceeded to do without encountering any limitations, he said.
After 24 sessions of trying to guess the code, which would take around 70 minutes, a malicious actor would already pass the 50% chance of hitting the valid code. In their research, the Oasis team attempted this method several times, and once even found they guessed the code early on in the process, exposing how quickly MFA could be bypassed.
Best Practices for Safe MFA
While MFA is still considered one of the most secure ways to protect passwords to online accounts, the research demonstrates that no system is completely attacker-proof. Oasis recommended that organizations continue to use either authenticator apps or strong passwordless methods for protecting user accounts from malicious attacks.
Other best practices include one that has long been recommended for years as part of basic password hygiene: users should change passwords to their online accounts frequently. Moreover, any organization using MFA to protect accounts should add a mail alert to notify users of failed MFA attempts, even if they don't notify them of every failed password sign-in attempt, Hason noted.
This latter advice also should be applied to any organization building MFA into a system or application, according to Oasis. MFA app designers also should ensure they include rate limits that don't allow for indefinite attempts to sign in, and lock an account after a certain time to limit successful MFA attacks or bypasses.
About the Author
You May Also Like