social.outsourcedmath.com
Not a Goat 🦝
Not a Goat 🦝 mastodon (AP)
Oasis: Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
Oasis had reported a vulnerability in Microsoft's Multi-Factor Authentication (MFA) implementation that allows attackers to bypass it and gain unauthorized access to the user's account (including Outlook emails, OneDrive files, Teams chats, Azure Cloud, etc.) No CVE ID is indicated. See the 9 page PDF report.

#microsoft #mfa #vulnerability #infosec #cybersecurity

Oasis Security Research Team Discovers Microsoft Azure MFA Bypass

Critical vulnerability could have allowed malicious actors to gain unauthorized access to users’ Microsoft accounts.
Tal Hason (Oasis Security)
#infosec #microsoft #mfa #cybersecurity #vulnerability
Link to source
Jeffrey
Jeffrey mastodon (AP)
(speculation incoming, doing some educated guesses)

...if they used Software OTP. Which is a lot of accounts (even if the user doesn't know about it), don't get me wrong, but there are a lot of users utilizing SMS, or number matching from the MS Authenticator app (which in current default configuration, will disable the extra Software OTP option).

Although, the way they are writing about the vulnerability, makes me think it could affect all MFA types, including the ones generating notifications. With guns blazing, they would have around 1/100 chance of going through number matching.

Also, the 10 attempts would suggest to me that it's controlled by Smart Lockout, which you can increase (why?) or decrease. Which leads me to believe the problem lied in Smart Lockout not being aware of other login sessions somehow.

Make your authentication phishing resistant and your access conditioned with compliance and geo-blocks, folks!
Link to source

This website uses cookies to recognize revisiting and logged in users. You accept the usage of these cookies by continue browsing this website.