A disturbing trend of sophisticated attacks recently detected by researchers specifically designed to evade multi-factor authentication (MFA) protections.
These advanced techniques, which exploit vulnerabilities in authentication workflows rather than the authentication factors themselves, have enabled attackers to gain unauthorized access to protected accounts despite MFA being enabled.
The attacks represent a significant evolution in threat actors’ capabilities and challenge the widespread assumption that MFA provides near-absolute protection against unauthorized access attempts.
Multi-factor authentication has become a cornerstone of cybersecurity defenses, requiring users to verify their identity through multiple methods—typically combining passwords with one-time codes delivered to mobile devices or hardware tokens.
.webp)
This layered approach has traditionally presented a formidable barrier to attackers, as compromising multiple authentication factors simultaneously was considered prohibitively difficult or resource-intensive.
Quarkslab’s researchers identified a particularly sophisticated bypass technique that manipulates the authentication process itself rather than attempting to steal or compromise the secondary verification factors.
Their analysis revealed that attackers are exploiting timing vulnerabilities and implementation flaws in how systems validate and track MFA completion status, effectively convincing applications that secondary verification has been successfully completed when it actually hasn’t.
The implications of these attacks are particularly concerning as they typically leave minimal forensic evidence compared to traditional brute-force attempts.
.webp){kind=spacer}
Many victims only discover the compromise after noticing unusual account activity, by which time sensitive data may already be exfiltrated. Security teams are finding these attacks especially challenging to detect as they appear as legitimate authentication workflows in security logs.
Analysis of Session Token Manipulation
The most concerning technique identified involves carefully timed manipulation of authentication response data during the verification flow.
When a user initiates authentication, the primary factor (usually a password) generates an initial session token which is then pending secondary verification.
Attackers have discovered methods to intercept and modify this token’s state flags before the MFA challenge is completed.
The normal authentication flow contrasted with the compromised flow that bypasses verification steps.
The attack typically employs JavaScript code injection to modify authentication responses, as demonstrated in this simplified proof-of-concept:
const bypassMFA = async (authResponse) => {
let responseData = await authResponse.json();
if (responseData.status === "awaiting_verification") {
responseData.auth_status = "verified";
responseData.mfa_complete = true;
responseData.session_flags += "|2FA_VERIFIED";
return new Response(JSON.stringify(responseData), {
status: 200,
headers: authResponse.headers
});
}
return authResponse;
}This code snippet shows how attackers can intercept an authentication response and modify critical status flags to falsely indicate MFA verification has been successfully completed.
The network traffic showing the precise moment when the modified response is injected into the authentication sequence.
The vulnerability primarily affects systems that implement separate session state tracking between authentication servers and resource servers.
This architectural decision creates a security gap that can be exploited particularly during network latency periods or when specific error conditions occur.
The architectural vulnerability that enables the attack vector, shows the communication gap between authentication providers and application servers creates an exploitation opportunity.
Security experts recommend organizations implement continuous validation of MFA status throughout session lifetimes rather than only at initial login, and adopt cryptographically signed tokens that cannot be modified without detection.
Until systems are updated to address these vulnerabilities, users should remain vigilant for unusual account activity that might indicate unauthorized access despite having MFA enabled.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
