Описание
Microsoft Authenticator Information Disclosure Vulnerability
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
FAQ
According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
User interaction is required because the user must have a malicious application installed on their device and then accidentally select that application as the handler for the sign‑in deep link. This can occur when the user scans a QR code or taps a sign‑in link and chooses the malicious app instead of Microsoft Authenticator, causing the sign‑in flow to be handled by the attacker‑controlled app.
What type of information could be disclosed by this vulnerability?
This vulnerability could result in disclosure of a one‑time sign‑in code or authentication deep link if the user selects a malicious application as the handler. The malicious app would receive the sign‑in information and could potentially use it to authenticate as the user, allowing access to information or services available to that account.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Authenticator for Android | ||
| Microsoft Authenticator for IOS |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
Уязвимость приложения многофакторной аутентификации Microsoft Authenticator, связанная с ошибками авторизации в обработчике для настраиваемой URL-схемы, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
5.5 Medium
CVSS3