OP 10 hours ago
Oasis Security has revealed the details of the attack, which made it possible to bypass Microsoft's multi-factor authentication (MFA). The attack was called AuthQuake, and the vulnerability associated with it was discovered at the end of June this year.
According to experts, the vulnerability was recognized as critical and allowed attackers to bypass Microsoft's MFA and gain access to accounts (provided that the attackers already knew the username and password).
IPA bypass could be used to gain access to Outlook email, OneDrive files, Teams chats, and Azure cloud instances. At the same time, AuthQuake is dangerous because it takes (on average) only one hour to complete, it does not require any user interaction, and the victim does not receive any warnings during the attack.
The essence of the problem was that when using an authenticator application to obtain a six-digit code for the MFA, one session allows up to 10 failed input attempts, which should prevent brute-force attacks. However, the researchers found that the attacker can make multiple input attempts at the same time, allowing them to brute force possible combinations very quickly.
During the tests carried out, it turned out that each MFA code generated by the application is valid for about three minutes. This means that the attacker has about a three percent chance of guessing the correct combination. And after three minutes, the attacker can initiate a new session, and repeat this process until they find the correct code.
Tests showed that the probability of guessing the code after 24 sessions (which took about 70 minutes) was over 50%, and in some cases, the code was guessed much faster, as shown in this video showing the exploit in action.
source : https://www.oasis.security/resources/blo...mfa-bypass
![[Image: 675065c871bd7251153970ae-AD-4n-Xd343u0-I...o9-Puj.gif]](https://i.ibb.co/JChck7p/675065c871bd7251153970ae-AD-4n-Xd343u0-I-tqk0-DNG60-D3-Oq-Qow8-PArvr8-Vq-XKb-Jb-H4r-MSf9-W27tco9-Puj.gif)
Currently, the vulnerability has already been fixed. For example, Microsoft engineers released a temporary patch at the end of June, when they first learned about the problem, and in October a full-fledged patch was released for AuthQuake.
Researchers at Oasis Security write that they are not at liberty to disclose the details of the fix, but can confirm that "Microsoft has imposed much stricter restrictions that are triggered after several unsuccessful attempts, and these strict restrictions then last about half a day."
The full PDF report is here :
https://pages.oasis.security/rs/106-PZV-...?version=0
According to experts, the vulnerability was recognized as critical and allowed attackers to bypass Microsoft's MFA and gain access to accounts (provided that the attackers already knew the username and password).
IPA bypass could be used to gain access to Outlook email, OneDrive files, Teams chats, and Azure cloud instances. At the same time, AuthQuake is dangerous because it takes (on average) only one hour to complete, it does not require any user interaction, and the victim does not receive any warnings during the attack.
The essence of the problem was that when using an authenticator application to obtain a six-digit code for the MFA, one session allows up to 10 failed input attempts, which should prevent brute-force attacks. However, the researchers found that the attacker can make multiple input attempts at the same time, allowing them to brute force possible combinations very quickly.
During the tests carried out, it turned out that each MFA code generated by the application is valid for about three minutes. This means that the attacker has about a three percent chance of guessing the correct combination. And after three minutes, the attacker can initiate a new session, and repeat this process until they find the correct code.
Tests showed that the probability of guessing the code after 24 sessions (which took about 70 minutes) was over 50%, and in some cases, the code was guessed much faster, as shown in this video showing the exploit in action.
source : https://www.oasis.security/resources/blo...mfa-bypass
Currently, the vulnerability has already been fixed. For example, Microsoft engineers released a temporary patch at the end of June, when they first learned about the problem, and in October a full-fledged patch was released for AuthQuake.
Researchers at Oasis Security write that they are not at liberty to disclose the details of the fix, but can confirm that "Microsoft has imposed much stricter restrictions that are triggered after several unsuccessful attempts, and these strict restrictions then last about half a day."
The full PDF report is here :
https://pages.oasis.security/rs/106-PZV-...?version=0
![[Image: eibpjgI.gif]](https://i.imgur.com/eibpjgI.gif)
![[Image: Sig.png]](https://i.ibb.co/xh4Mcd3/Sig.png)