Wednesday , December 18 2024
Microsoft Azure MFA

Researcher claim to bypass Microsoft Azure MFA flaw within hour

infosecbulletin 6 days ago Hot Topic, International

Oasis Security discovered a flaw in Microsoft’s Multi-Factor Authentication (MFA) system, allowing attackers to bypass it and access user accounts, including Outlook, OneDrive, Teams, and Azure. With over 400 million Office 365 users, the impact of this vulnerability could be significant.

Research team claim, “The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble.”

CISA released best practices to secure Microsoft 365 Cloud environments

By infosecbulletin / Wednesday , December 18 2024
CISA has issued Binding Operational Directive (BOD) 25-01, requiring federal civilian agencies to improve the security of their Microsoft 365...
Read More
CISA released best practices to secure Microsoft 365 Cloud environments

Data breach! Ireland fines Meta $264 million, Australia $50m

By infosecbulletin / Wednesday , December 18 2024
The Irish Data Protection Commission fined Meta €251 million ($263.6 million) for GDPR violations related to a 2018 data breach...
Read More
Data breach! Ireland fines Meta $264 million, Australia $50m

Over 25K SonicWall VPN Firewalls exposed to critical flaws

By infosecbulletin / Wednesday , December 18 2024
More than 25,000 SonicWall SSL VPN devices are vulnerable to critical flaws, with 20,000 running outdated SonicOS/OSX firmware that is...
Read More
Over 25K SonicWall VPN Firewalls exposed to critical flaws

AI-made nude images incident, one school, 50 female victim

By infosecbulletin / Tuesday , December 17 2024
Nearly half of the high school’s female students were victimized in AI based deepfake the images and videos. The students...
Read More
AI-made nude images incident, one school, 50 female victim

Over 4 lac files ‘leaked’: Telecom Namibia hit by major cyberattack

By infosecbulletin / Monday , December 16 2024
Telecom Namibia experienced a cyber incident that leaked customer data. The company is working with local and international cybersecurity experts...
Read More
Over 4 lac files ‘leaked’: Telecom Namibia hit by major cyberattack

HSBC sued by ASIC: customers allegedly scammed of $23 million

By infosecbulletin / Monday , December 16 2024
HSBC Bank Australia Limited did not sufficiently safeguard customers from scams that resulted in millions of dollars being lost, as...
Read More
HSBC sued by ASIC: customers allegedly scammed of $23 million

Sophos Thwarts Global Firewall Attack promptly, Protects Thousands from Data Theft

By infosecbulletin / Sunday , December 15 2024
On 10Th December, 2024 The US Department of Justice said in a press release that a Chinese-born man named Guang...
Read More
Sophos Thwarts Global Firewall Attack promptly, Protects Thousands from Data Theft

Android malware attack Indian banks: Infected 419 devices

By infosecbulletin / Saturday , December 14 2024
Researchers discovered a new Android banking trojan aimed at Indian users. This malware pretends to be essential utility services to...
Read More
Android malware attack Indian banks: Infected 419 devices

Indian-American OpenAI whistleblower Suchir Balaji found dead in San Francisco

By infosecbulletin / Saturday , December 14 2024
A whistleblower from OpenAI, Suchir Balaji, an Indian-American ex-researcher at OpenAI who criticized the company's practices, was found dead in...
Read More
Indian-American OpenAI whistleblower Suchir Balaji found dead in San Francisco

Canadian company exposed unprotected almost 5 million records

By infosecbulletin / Saturday , December 14 2024
Cybersecurity expert, Jeremiah Fowler discovered an unsecured database containing almost 5 million records reportedly relating to Care1 — a Canadian...
Read More
Canadian company exposed unprotected almost 5 million records

When users access the login page, they receive a session identifier. After entering a valid email and password, they must verify their identity. Microsoft offers various MFA methods, such as using a verification code from an app. Users enter a 6-digit code from the app to complete the authentication. Up to 10 consequent failed attempts were allowed for a single session.

The Oasis research team quickly generated new sessions and codes, demonstrating that they could rapidly exhaust all options for a 6-digit code (1 million combinations). In simple terms, they could make many attempts at once.

Oasis informed Microsoft of the issue, which acknowledged its existence in June and fixed it permanently by Oct. 9, the researchers said. “While specific details of the changes are confidential, we can confirm that Microsoft introduced a much stricter rate limit that kicks in after a number of failed attempts; the strict limit lasts around half a day,” Hason wrote.

Vulnerability timeline and Microsoft response:

24/06/2024 – Microsoft Acknowledgment of the issue
04/07/2024 – Microsoft Deployed a temporary fix
09/10/2024 – Microsoft Deployed Permanent Fix

Click here to read the full story.

Source: oasis.security

Check Also

firewall

Sophos Thwarts Global Firewall Attack promptly, Protects Thousands from Data Theft

On 10Th December, 2024 The US Department of Justice said in a press release that …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2024, All Rights Reserved InfoSecBulletin