The Inside Job: When Microsoft MFA Fails

Matias Brutti
August 14, 2018

In today’s threat landscape, cybersecurity vulnerabilities can originate from a variety of places. An exploitable gap in one vendor’s technology can have serious, cascading repercussions across an entire organization, large or small. This reality is one of the reasons that Okta’s Research and Exploitation (REX) team constantly performs security reviews for all of our code bases, as well as for all of the technologies with which we integrate.

Recently, during one such assessment, Okta REX Security Engineer Andrew Lee discovered a vulnerability in Microsoft’s Active Directory Federation Services (ADFS). The vulnerability allowed potentially malicious actors to bypass Multi-Factor Authentication (MFA) safeguards, as long as they had full access to another user’s credentials on the same ADFS service. This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building.

Simply put, if just one employee in a global company wanted to – or if a bad actor compromised the account of one employee – they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO with this vulnerability. Imagine a malicious actor within an organization gaining access to sensitive information such as financial data or company patents. The financial impact could be disastrous to the organization, and could have reverberating implications for their clients, customers or partners. When you understand how most credential phishing attacks work, this exploit gives a potential bad actor an incredible advantage to expand compromises significantly. Corporations rely on MFA to limit credential attacks, which might leave them susceptible to back-of-mind threats such as insider intrusions, and lateral movement within the network that might lead to privilege escalation, among other things.

In the discovery of this vulnerability, REX adhered to Okta’s responsible disclosure process to identify the vulnerability and report it to Microsoft. A fix has been released, but because ADFS is an on-premises solution, customers and IT administrators are strongly encouraged to stay on their toes and patch their systems to ensure the security of their organizations.

For the full technical breakdown of this vulnerability, check out Andrew’s post on our Security blog.

Previous
Next

April 15, 2024

Jumpstart Identity with automation

By Frederico Hakamine
If you’ve ever found yourself thinking “Why does this process take so long? Don’t we have computers for that?” Well, you’re probably right. The strain you’re…

Read now

April 12, 2024

SMB Identity buyer's checklist

By Frederico Hakamine
TL;DR: Identity touches every point of your business. Here’s a checklist of what you should be asking yourself when shopping for an Identity solution.   …

Read now

April 9, 2024

More than SSO: Five SaaS features you need to win enterprise customers

By Mallory Sword Glenn
There comes a time in every SaaS company's journey when they’re ready to move upmarket and start landing enterprise logos. While your app might be a winner…

Read now

April 2, 2024

SMBs at Work 2024: Which apps are powering today’s growing companies?

By Monisha Formoso
For today’s tech leaders, the future of work isn’t just a hot topic; it’s an essential one. Understanding where work is heading lets us anticipate trends,…

Read now

March 28, 2024

CIAM by example in four recipes: Build for data privacy and compliance

By Frederico Hakamine
This recipe is part of the series Learn CIAM by example: Four recipes to improve your app’s security and UX. You can learn more about the series by downloading…

Read now