It’s a bit like “taking a room key for a building and turning it into a skeleton key that works on every door in the building,” explained a blog on the Okta REX website.
To exploit the vulnerability, either an internal actor, such as a disgruntled employee, or an operator of a phishing campaign that can obtain the credentials of several users, can gain access to critical systems.
The weakness was found in the MFA protocol for the authentication system – Active Directory Federated Services (ADFS) – which can function as an organisational gatekeeper.
The Security Engineer, Andrew Lee, who discovered the vulnerability, explained: “A weakness in the Microsoft ADFS protocol for integration with MFA products allows a second factor for one account to be used for all other accounts in an organisation.”
MFA – multi-factor identification – is a multi-layered approach to confirming a user’s identity. It can confirm a user’s identify by, for example, combining questions relating to something a user knows, something they have and something they are.
According to Lee, however, “by exploiting a weakness in the MFA protocol for Microsoft’s authentication system, if a single user’s password and second factor are compromised, their second factor can be used in place of anyone else’s in the organisation.”
After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. Okta says that organisations running Microsoft ADFS are advised to patch their systems.
According to Okta REX, more than 80% of today’s breaches leveraged either stolen and/or weak passwords. It said that “this vulnerability is particularly viable for insider threat actors who can easily spearphish unsuspecting members of their organization, whether it’s a direct colleague, supervisor, or even senior executives.”