It’s a bit like “taking a room key for a building and turning it into a skeleton key that works on every door in the building,” explained a blog on the Okta REX website.
To exploit the vulnerability, either an internal actor, such as a disgruntled employee, or an operator of a phishing campaign that can obtain the credentials of several users, can gain access to critical systems.
>See also: Is multi-factor authentication finally picking up speed?
The weakness was found in the MFA protocol for the authentication system – Active Directory Federated Services (ADFS) – which can function as an organisational gatekeeper.
The Security Engineer, Andrew Lee, who discovered the vulnerability, explained: “A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for all other accounts in an organisation.”
>See also: The cure for compromised credentials: what to consider when …
MFA – multi-factor identification – is a multi-layered approach to confirming a user’s identity. It can confirm a user’s identify by, for example, combining questions relating to something a user knows, something they have and something they are.
According to Lee, however, “by exploiting a weakness in the MFA protocol for Microsoft’s authentication system, if a single user’s password and second factor are compromised, their second factor can be used in place of anyone else’s in the organisation.”
>See also: What challenges do engineering-orientated CTO’s encounter …
After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. Okta says that organisations running Microsoft ADFS are advised to patch their systems.
According to Okta REX, more than 80% of today’s breaches leveraged either stolen and/or weak passwords. It said that “this vulnerability is particularly viable for insider threat actors who can easily spearphish unsuspecting members of their organization, whether it’s a direct colleague, supervisor, or even senior executives.”