Microsoft Authenticator Leak Exposes MFA Codes Until App Update

A vulnerability was discovered in the Microsoft Authenticator mobile app that could unintentionally reveal the time‑based one‑time passwords (TOTPs) it generates. The flaw allowed the codes to be displayed in clear text under certain conditions, making them accessible to anyone with physical or remote access to the device until the app was patched.

The exposure undermines multi‑factor authentication, as an attacker who obtains the leaked codes can complete the second‑factor step and gain unauthorized access to protected accounts. Defenders should prioritize forcing updates to the latest Authenticator version, enforce app version checks, monitor for anomalous login patterns, and consider supplemental controls such as hardware tokens or conditional access policies while the issue is being mitigated.

Categories: Vulnerabilities & Exploits, Identity & Access Management

Source: Read original article