top of page
Outlook 2FA Bypass Vulnerability
It is possible to bypass the verification prompt following a successful username and password entry to an email account on outlook.com, which might come up if the device is different to what is expected or there are other suspicious markers prompting the verification message. This has been tested in the Chrome, but may work in other browsers.
Reproduction steps:
1. Open the Chrome browser and have at least two browser tabs open. In one the tabs, go to outlook.com and click `Sign in':
2. Enter the email address username of a test email account
3. Enter the password when prompted
4. The verification prompt will appear - `Help us protect your account. We've detected something unusual....’
5. Check the option `I don't have these any more’ but don't click on `Verify Online'
6. Click on `back' in the browser to go back one page, where the password prompt screen will appear.
7. Close this particular Outlook.com tab within the browser.
8. Open a new tab within Chrome and go to outlook.com and click `Sign in'
9. A message should appear prompting `Is your security info still accurate?’ Click on `Looks good'.
10. A prompt should appear asking whether to stay signed in, which you can click yes or no.
11. The Outlook email screen is now available - fully logged in with this test user account.
12. It is also possible, from step 5, to click on the `Verify online', and then when the next verification screen appears, click on the back button in the browser twice, after which the prompt asking whether to stay signed in appears (Step 10), and then having clicked either yes or no, one is straight into the account.
13. This vulnerability appears to work on all versions of Chrome and may work in other browsers (untested).
This has been reported to Microsoft.
bottom of page