Microsoft’s MFA Blunder: The AuthQuake Fiasco Shakes Security Confidence
Researchers from Oasis Security discovered a critical Microsoft MFA vulnerability, dubbed AuthQuake, allowing attackers to bypass authentication without alerting victims. By exploiting this flaw, hackers could access Outlook, OneDrive, and more. Thankfully, Microsoft rolled out a permanent fix in October, just in time to prevent a real-world game of uninvited peekaboo.
Hot Take:
Who knew that bypassing Microsoft’s multi-factor authentication (MFA) was as simple as playing a game of code roulette, where the house doesn’t even know you’re betting? Hats off to Oasis Security for pulling back the curtain on this MFA magic trick gone wrong. Now, Microsoft users can breathe a sigh of relief knowing that their digital fortress isn’t guarded by the tech equivalent of a cardboard cutout.
Key Points:
- Oasis Security discovered a critical vulnerability in Microsoft’s MFA, dubbed “AuthQuake.”
- The attack allowed bypassing MFA if the attacker had the target’s username and password.
- The exploit could have granted access to services like Outlook, OneDrive, Teams, and Azure.
- Microsoft implemented a temporary fix in June and a permanent fix in October.
- The attack method took about an hour to execute without user interaction or notification.