A critical flaw in the speed limit for failed MFA login attempts at Microsoft allowed unauthorized access to a user account. This included the Outlook inbox of said user.
Researchers at Oasis Security discovered a vulnerability in Microsoft Azure’s multifactor authentication (MFA). Darkreading reports. The vulnerability allowed them to crack a user’s account in about an hour. This flaw allowed access to numerous user data and environments without authorization. These include Outlook emails, OneDrive files, Teams chats and Azure Cloud.
According to a blog post by Oasis Security on Dec. 11, the problem was due to the lack of a rate limit on the number of failed MFA login attempts. This left more than 400 million paid Microsoft 365 accounts exposed to possible account takeover, they said.
Quickly creating new sessions
When logging into a Microsoft account, a user enters their email address and password, followed by a preset MFA method.
The researchers managed to bypass security by quickly creating new sessions and enumerating codes, as explained by Tal Hason, a research engineer at Oasis, in the blog post. This enabled them to make a very high number of attempts, which allowed them to quickly exhaust all possible combinations of a 6-digit code, meaning a total of 1 million possibilities.
“Simply put – someone could perform many attempts at the same time,” Hason wrote. Moreover, during these failed attempts, account owners did not receive any notification of suspicious activity, which made this vulnerability difficult to detect, he added.
Microsoft implements stricter speed limit
Oasis informed Microsoft of the problem. That acknowledged the flaw in June and fixed it on Oct. 9. Although exact details remain confidential, Hason confirmed that Microsoft implemented a much stricter speed limit, which remains active for about half a day after a certain number of failed attempts.
Analysis showed that an additional problem was the time period in which an attacker could guess a single code. That was 2.5 minutes longer than the recommended period for a time-based one-time password (TOTP) according to RFC-6238, an Internet Engineering Task Force (IETF) standard.
RFC-6238 recommends that a code expire after 30 seconds. In tests with Microsoft logins, the researchers found that a single code remained valid for about three minutes, which is 2.5 minutes longer than recommended. This gave attackers six times more time.
This extra time gave attackers a 3% chance of guessing the code within the extended period. With 24 attempts, which would take about 70 minutes, the probability would already be above 50%. In some cases, the researchers managed to guess the code in a much shorter time, showing how vulnerable MFA can be.
Also read: MFA mandatory for Microsoft Azure portal, Entra and Intune this October