top | item 44821568

(no title)

iEchoic | 6 months ago

Four times a day, I get an email notification that someone requested a password reset for my Microsoft account, which gives me a six-digit number to recover my account. So every day, an attacker has four shots in 1,000,000 of stealing my account by just guessing the number. They've been doing this for years.

If the attacker's doing this to thousands of accounts - which I'm sure they are - they're going to be stealing accounts for free just by guessing.

I wrote up a security report and submitted it and they said that I hadn't sufficiently mathematically demonstrated that this is a security vulnerability. So your only option is to get spammed and hope your account doesn't get stolen, I guess.

discuss

Lukas_Skywalker|6 months ago

I have added what I think they call login alias to my account. This blocks logins using the normal account username (which is my public email address), and only allows them via the alias (which is not public and just a random string). Not a single foreign login attempt since I enabled the alias.

You can enable it on account.microsoft.com > Account Info > Sign-in preferences > Add email > Add Alias and make it primary. Then click Change Sign-in Preferences, and only enable the alias.

bsimpson|6 months ago

This sounds a lot like Steam, where the name on your profile page is a vanity string that you can change whenever you want, but the actual username in their system is an unrelated (and immutable) ID.

theschmed|6 months ago

I hadn't thought of this use case for aliases.

I had to make my Outlook email primary again on my Microsoft account, unfortunately, because of how I use OneDrive. I send people share invitations and there are scenarios (or at least there were the last time I checked) where sending invitations from the primary account email is the only way to deliver the invite. If your external email alias is primary, they'll attempt to send an email from Outlook's servers that spoofs the alias email :/

Hnrobert42|6 months ago

Then, is the login alias sort of a password? In that, it is something you know.

nomercy400|6 months ago

I had to do this as well. My account got spammed daily in such a way I had to verify my account and change my password on every login.

With the alias I no longer have this issue.

lanfeust6|6 months ago

This is what I do. The crucial thing is to only use the alias for logging in.

NoGravitas|6 months ago

If they are doing this to 125,000 accounts, they should get an average of one account per day, right? So on average it would on average take them 342 years to get any specific account, but as long as they aren't trying for any particular account, they've got a pretty good ROI.

I guess the fix for this would be exponential backoff on failed attempts instead of a static quota of 4 a day?

vdfs|6 months ago

Why would doing this to 125K accounts give them access to one account per day? The chances of guessing 6-digtis pin code for each account is the same (10^6) regdless of how many accounts your are attacking

klabb3|6 months ago

The code length should ideally be adaptive and increase if this happens.

ccppurcell|6 months ago

I get it too! I always assumed it was some hangover from that time I had to use crosses self Microsoft teams.

bradleyankrom|6 months ago

I get a similar message constantly for an old Instagram account - "sorry you're having trouble logging in, click here to log in and change your password!"

Aachen|6 months ago

I had the same issue on a useless old account. Could see the IP addresses of the sign-in attempts, they came from all over the world, all different ISPs, mostly residential. Nearly every request was from a unique /16! If botnets are used for something this useless, I dread to think what challenges at-risk people face

Adding 2FA was the solution

I couldn't find the method they were using in the first place, because for me it always asks for the password and then just logs me in (where were they finding this 6-digit email login option?!), but this apparently blocked that mechanism completely because I haven't seen another sign-in attempt from that moment onwards. The 2FA code is simply stored in the password manager, same as my password. I just wanted them to stop guessing that stupid 6-DIGIT (not even letters!) "password" that Microsoft assigns to the account automatically...

jiggawatts|6 months ago

I was authenticating a set of scripts five times for each run with MFA. Once, it asked me for six MFA prompts with no disambiguating info.

Did I click “Yes” to the attack the fifth time, or was the sixth the attack? Or was it just a “hiccup” in the system?

Do I cancel the migration job and start from the beginning or roll the dice?

It’s beyond idiotic asking a Yes/No question with zero context, but that was the default MFA setup for a few hundred million Microsoft 365 and Azure users for years.

“Peck at this button like a trained parrot! Do it! Now you are ‘secure’ according to our third party audit and we are no longer responsible for your inevitable hack!”

hbn|6 months ago

> “Peck at this button like a trained parrot!

All of the prompts users get these days in an effort to add "security" have trained users to mindlessly say "yes" to everything just so they can access the thing they're trying to do on their computer; we've never had less secure users. The cookie tracking prompts should probably take most of the blame.

I know with the last major macOS update, nearly every app is now repeatedly asking if it can connect to devices on my network. I don't know? I've been saying yes just so I don't have stuff mysteriously break, and I assume most people are too. They also make apps that take screenshots or screen record nag you with prompts to continue having access to that feature. But how many users are really gonna do a proper audit, as opposed to the amount that will just blindly click "sure, leave me alone"?

On my phone, it keeps asking if I want to let apps have access to my camera roll. Those stupid web notifications have every website asking if it can send notifications, so everyone's parents who use desktop Chrome or an Android have a bunch of scam lotto site ad notifications and don't know how to turn them off.

bongodongobob|6 months ago

Should be using app registrations for that, not user accounts.

SergeAx|6 months ago

Four times a day, times say 5 years = 7_300 tries. Times 10_000 accounts ≈ 73_000_000 tries. They should have access to ~70 accounts by now.

Cheapest VPS is $5/month, residential proxies are $3/1Gb, which equals ~$200 / 5 years.

$3 per hacked account — is it good unit economy?

Randor|6 months ago

Microsoft allows you create a second "login only" account username to access your e-mail and other services. I was having the same problem as you but much worse. Check into it, only takes a few minutes to setup.

timdumol|6 months ago

Does adding MFA not protect you against this? If you are secured by a TOTP on top of your password, it should not matter if they manage to reset your password.

Huppie|6 months ago

Somewhat, but imho the Microsoft MFA is also full of similar flaws.

As an example: I've disabled the email and sms MFA methods because I have two hardware keys registered.

However, as soon as my account is added to an azure admin group (e.g. through PIM) an admin policy in azure forces those to 'enabled'.

It took me a long time debugging why the hell these methods got re-enabled every so often, it boils down to "because the azure admin controls for 'require MFA for admins' don't know about TOTP/U2F yet"

Imho it's maddening how bad it is.

w3ll_w3ll_w3ll|6 months ago

Or you could enable MFA?