Oasis researchers Elad Luz and Tal Hason highlighted that the vulnerability allowed attackers to sidestep MFA with a simple execution that required no user interaction.
The vulnerability stemmed from a lack of rate limit, enabling attackers to rapidly spawn new sessions and enumerate all possible six-digit codes without alerting account holders.
Despite being time-based, Microsoft's implementation allowed TOTP codes to be valid for up to 3 minutes, extending the window for potential attacks.
After responsible disclosure, Microsoft addressed the critical vulnerability, codenamed AuthQuake, which posed a significant risk to user account security.
Collection
[
|
...
]