This isn’t the first time I’ve read about Microsoft reacting significantly worse to a security hole than other companies. Is that a real pattern? If so, I wonder why they’re so much worse.
2FA is something harder to steal than the password right? I mean it’s really only works in theory to me.
You’re misunderstanding the attack. You aren’t stealing 2fa. You are breaking into an account and registering your device for 2fa, establishing a login session and not sending the 2fA code.
Then if the user resets their password, this vulnerability lets you send the 2fa code without the new password to log in.
If I understood the article correctly, you would only have one opportunity to gain access to the account, in which case you would need to set up the trigger for the attack again (e.g. do something to make user reset password)?
It still seems like a weak attack though, because it requires gaining access to their account in the first place. So it would only work on 1) accounts where the password was known and 2) accounts where 2FA was not already enabled. In any case, you have access to their account, so it’s basically game over already?
Or, do I have it all wrong, and you would basically always trigger the attack regardless of what the user does, as long as they do not remove your 2FA device?
In the real world, account theft may be game over for your threat modeling as an individual, but it’s not the end of the user’s interest in their account, nor can it be the end of the modeling for the security teams who design these precautions. An account at one of the large tech companies may have a lifetime of emails and photographs in it. It may have digital purchases and control of cloud resources attached to it. It may be the recovery email for myriad other accounts held by smaller companies whose customer service teams are non-existent or unhelpful. So it does matter that the correct user has a chance to get back in and kick the attacker out, after an account is stolen.
With that background… The point of the attack is that it’s a way for an attacker who has already broken in to make sure they aren’t kicked out. Per the above, this is a real and important concern and it’s a situation that happens every day. Companies have recovery teams which try their best to make sure, after a compromise, that the real owner recovers the account. It’s difficult work to verify that it’s the real owner attempting recovery and not the thief; some portion of these recoveries succeed and some fail. If this attack finds widespread use, we can safely assume that all the recoveries will fail, at least until it’s fixed properly.
The attack, as described, doesn’t even depend on whether the 2FA device is removed or not. It’s sufficient for the attacker to have been able to add it.
I appreciate the detailed explanation, I totally see how this is a much bigger deal than I originally thought after reading the blog/article.
Very welcome. I recognize it’s not a situation everyone thinks of if it’s not pointed out.