A vulnerability in Microsoft’s popular identity management directory could let an attacker breach multiple employee accounts in an organization by circumventing multi-factor authentication, according to new research from identity security company Okta.
The directory in question is Microsoft’s Active Directory Federation Services (ADFS), which allows business partners from different organizations to sign in to shared web applications. A weakness in the multi-factor authentication protocol for ADFS means that a hacker equipped with a user’s password and second “factor,” such as an SMS message, could use that factor in place of any other employee’s in the organization, according to Okta. To breach another user in the organization, the hacker would need access to his or her user name and password on the same ADFS service.
“Simply put, if just one employee in a global company wanted to – or if a bad actor compromised the account of one employee – they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO with this vulnerability,” wrote Matias Brutti, Okta’s director of research and exploitation.
Microsoft has released a patch for the vulnerability. Given that ADFS is “a legacy, on-premises solution, customers and IT administrators are strongly encouraged to stay on their toes and patch their systems to ensure the security of their organizations,” Brutti wrote.
In a blog post, Andrew Lee, the Okta security engineer who found the vulnerability, likened its exploitation “to turning a room key into a master key for every door in the building – but in this building, each door has a second lock that accepts a passcode.”
The vulnerability stems from a “failure to cryptographically enforce the integrity and authenticity of relationships between the two pieces of identity — the primary credentials and the second factor,” Lee wrote.
Information security professionals have weighed in on the merits of two-factor authentication via SMS following the breach in June of Reddit, one of the world’s most popular websites. Hackers compromised the accounts of several Reddit employees by intercepting SMS messages used to log them in.
Experts say the breach was a reminder of the security limits of two-factor authentication via SMS, but also emphasize that it is, of course, still better than having no second factor at all. Upgrading to a hardware token thwarts attacks that rely on an SMS intercept.