The story of how I accidentally discovered a vulnerability in Microsoft MFA by being unorganized

Thu, 27 Jun 2024 @ 10:05:00

The talk will be mainly a story with a few technical details everyone can understand, and will be mostly fun but let you to a deep understanding of how simple mistakes by the cloud provider can lead to full account takeover. It will be about the Microsoft MFA Bypass Vulnerability I found accidentally by being unorganized in my authentication app, how I tried to implement the least amount of code to use the vulnerability, and how it all rolled out. The session will start with me talking about my authenticator app which contains a long amount of accounts and that I usually put in the wrong code at least twice before I successfully find the correct account.

This led to a morning where I was mistaken a lot of times until I figured out that there was a missing implementation in the Microsoft MFA process, that I could maybe use. Then we will talk about how I created a simple and easy POC using Cypress to avoid understanding the full implementation of Microsoft API, how that didn’t work because Cypress was too slow, then how I tried to use GCP Virtual Machine to run the vulnerability but in the morning I got an email that they blocked me, and how we concurred this issue. Finally, how I expanded it to take full advantage of their mistake after all the things I learned to successfully bypass the MFA process.