Researcher Awarded $50,000 by Microsoft under its Bug Bounty Program for spotting A Hacker Vulnerability


    Microsoft recently awarded a sum of $50,000 to a Bug Bounty Hunter for disclosing a major vulnerability in its services that might have resulted in account hijacking. Laxman Muthiyah an Indian researcher was awarded the prize as a part of Microsoft’s HackerOne bug bounty program. The vulnerability found could have enabled any user to access any Microsoft account without authorization.

    Muthiyah had previously discovered a similar vulnerability in Instagram that would have resulted in account hacking for this he was awarded a sum of $30,000. Furthermore, he discovered both vulnerabilities utilizing the same technique to reset a user’s password.

    Muthiyah noticed that for resetting the password using the “forgotten password”, the company asks for an email address or phone number. After which a 7 digit code is sent to the provided email or number for verification entering that the password can be changed. Even though the website doesn’t enable the hackers to brute force the authentication key to enable password reset by limiting rates, imposing checks, and encryption. Muthiyah figured out that the company’s encryption that was being used was to automate the whole procedure from encrypting the code to sending multiple consecutive requests.

    The process involved sending out 1000 codes out of which only 122 were able to breakthrough while the others got an error code and further requests from the test account were blocked. Muthiyah later was able to get around both the blocking mechanism and encryption. He discovered that even limited “milliseconds” were sufficient for requests to be observed and blocked.

    To tackle this problem Muthiyah then proceeded with his attack by the strategy of parallel processing, he transmitted 1000 seven-digit codes and was able to get the correct code to change the password. He even observed that for 2-factor authentication, they had the exact endpoint and were unprotected from an identical attack, the only thing needed is that the attack had to be done twice to change the passwords.

    Muthiyah documented his discoveries and sent Microsoft a Proof-of-Concept video as proof. “The tech giant was quick in acknowledging the issue and a patch was issued in November 2020,” he said. “I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue,” Muthiyah commented.

    However, this attack vector is not an easy one. To get over one seven-digit code would require heavy computing power and if it is combined with 2FA code, it could require millions of requests in total. The vulnerability was allotted a severity rating of “important” by Microsoft, according to an email screenshot that was shared by Muthiyah.

    The bug bounty award of $50,000 to Muthiyah was issued on February 9 through the HackerOne bug bounty platform, which is a partner of Microsoft for distributing the bounties. Muthiyah received permission to publicize the vulnerability to the world on March 1, 2021.

    Recent Articles

    Cypress announced the release of Cypress Component Test Runner, the leading automated testing platform announced on 6th April 2021, the release of Cypress’s dedicated Component Test Runner. The Test Runner is formulated...

    Weekly Newsletter (4th Apr’ 21 to 10th Apr’ 21)

      Here’s the Weekly Newsletter from 4th April’ 2021 to 10th April’ 2021: 1. Tricentis acquires Neotys to broaden its continuous software testing capabilities - Tricentis,...

    Catchpoint announces General Availability of WebPageTest API with enhanced features

      Catchpoint, the digital experience monitoring solution provider announced on 6th April 2021, the public availability of the WebPageTest API which was initially accessible by...

    Dynatrace introduces Cloud-Based Automation to enhance its Software Intelligence Platform

      Software intelligence corporation Dynatrace has enhanced and added new capabilities in cloud-based automation to its software intelligence platform. The capabilities are provided through a...

    FailQonf – Conference on Failures around Testing & Quality

      FailQonf is a Software Testing Conference organized by The Test Trible - India's largest Software Testing Community. While Failure is a common element of...

    Related Stories

    Stay on op - Ge the daily news in your inbox