Microsoft ADFS Vulnerability Allows Threat Actors to Bypass Multi-Factor Authentication

A vulnerability (CVE-2018-8340) has been identified in Microsoft’s Active Directory Federation Services (ADFS) which could allow an attacker to easily bypass multi-factor authentication (MFA).

ADFS is utilized by many companies to protect accounts by adding a second factor to a password to secure accounts, including vendors such as SecureAuth, RSA and Okta. It was a security researcher from Okta, Andrew Lee, who discovered the vulnerability.

To take advantage of the vulnerability, the attacker needs to obtain an employee’s login credentials and have a valid authentication token for that account. The token can then be used as authentication on any other account in Active Directory that has two-factor authentication set up. All that is required is a username and password. A threat actor can acquire a username and a password through a phishing campaign or via a brute force attack to guess a weak password.

Getting the second factor token is a bit more challenging. The second factor is usually a cell phone number or a smart card PIN number or email address. That data can also possibly be acquired by means of phishing or by impersonating an employee and requesting IT support reset the MFA token of a user. It is easier for an insider to exploit the vulnerability, because that person is likely to already possess a legitimate MFA token.

The vulnerability is a result of the way ADFS communicates when a user logs in. When an attempt is made to login, the server transmits an encrypted context log that includes the MFA token. But the context log doesn’t include the username. As long as a MFA token has been registered on one account it can be used as authentication on another. ADFS does not check that the token has been registered by the person attempting to access the account.

Two browsers can be used to gain access to two accounts. One browser is used to access an account using the correct username, password, and MFA token, and the second is used to access an account where the MFA token is not possessed. By capturing information from the first session, an attacker could use the information to access the second account. It would be possible to access any account on the network using this method, provided the username and password is known.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Two-factor authentication can prevent unauthorized accessing of account although the system is not perfect and can be bypassed, as this vulnerability shows. There have been many data breaches reported where multi-factor authentication was in place but failed to secure accounts – The recently discovered breach at Reddit being another example.

After discovering the flaw, Lee notified Microsoft and the flaw has now been patched. The update was released on Patch Tuesday on August 14.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: