Home » Topics » Data Protection & Privacy » Vulnerability in Microsoft’s MFA could wreak havoc on organisations, says security expert

Vulnerability in Microsoft’s MFA could wreak havoc on organisations, says security expert

Avatar photoby Andrew Ross

It’s a bit like “taking a room key for a building and turning it into a skeleton key that works on every door in the building,” explained a blog on the Okta REX website.

To exploit the vulnerability, either an internal actor, such as a disgruntled employee, or an operator of a phishing campaign that can obtain the credentials of several users, can gain access to critical systems.

>See also: Is multi-factor authentication finally picking up speed?

The weakness was found in the MFA protocol for the authentication system – Active Directory Federated Services (ADFS) – which can function as an organisational gatekeeper.

The Security Engineer, Andrew Lee, who discovered the vulnerability, explained: “A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for all other accounts in an organisation.”

>See also: The cure for compromised credentials: what to consider when …

MFA – multi-factor identification – is a multi-layered approach to confirming a user’s identity. It can confirm a user’s identify by, for example, combining questions relating to something a user knows, something they have and something they are.

According to Lee, however, “by exploiting a weakness in the MFA protocol for Microsoft’s authentication system, if a single user’s password and second factor are compromised, their second factor can be used in place of anyone else’s in the organisation.”

>See also: What challenges do engineering-orientated CTO’s encounter …

After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. Okta says that organisations running Microsoft ADFS are advised to patch their systems.

According to Okta REX, more than 80% of today’s breaches leveraged either stolen and/or weak passwords. It said that “this vulnerability is particularly viable for insider threat actors who can easily spearphish unsuspecting members of their organization, whether it’s a direct colleague, supervisor, or even senior executives.”

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future

Related Topics

Data Breaches

Related Stories

Data Protection & Privacy

The future of private AI: open source vs closed source

As regulation of artificial intelligence evolves, the future of AI could be private in nature - here's how adoption of open and close source capabilities would compare

Blockchain

How fully homomorphic encryption can solve blockchain’s privacy problem

Jason Delabays explains how fully homomorphic encryption can help businesses innovating with blockchain ensure privacy long-term.

Data Protection & Privacy

Combining Qumulo integration with open source backup software

Software development automation platform Yuzuy has been looking to drive value from integration with Qumulo and customer partnerships

Data Protection & Privacy

Class action lawsuit filed against OpenAI over “stolen private information”

OpenAI, developer of ChatGPT, has been hit with a class action lawsuit alleging misappropriation of personal data scraped from the web