Microsoft recently awarded a sum of $50,000 to a Bug Bounty Hunter for disclosing a major vulnerability in its services that might have resulted in account hijacking. Laxman Muthiyah an Indian researcher was awarded the prize as a part of Microsoft’s HackerOne bug bounty program. The vulnerability found could have enabled any user to access any Microsoft account without authorization.
Muthiyah had previously discovered a similar vulnerability in Instagram that would have resulted in account hacking for this he was awarded a sum of $30,000. Furthermore, he discovered both vulnerabilities utilizing the same technique to reset a user’s password.
Muthiyah noticed that for resetting the password using the “forgotten password”, the company asks for an email address or phone number. After which a 7 digit code is sent to the provided email or number for verification entering that the password can be changed. Even though the website doesn’t enable the hackers to brute force the authentication key to enable password reset by limiting rates, imposing checks, and encryption. Muthiyah figured out that the company’s encryption that was being used was to automate the whole procedure from encrypting the code to sending multiple consecutive requests.
The process involved sending out 1000 codes out of which only 122 were able to breakthrough while the others got an error code and further requests from the test account were blocked. Muthiyah later was able to get around both the blocking mechanism and encryption. He discovered that even limited “milliseconds” were sufficient for requests to be observed and blocked.
To tackle this problem Muthiyah then proceeded with his attack by the strategy of parallel processing, he transmitted 1000 seven-digit codes and was able to get the correct code to change the password. He even observed that for 2-factor authentication, they had the exact endpoint and were unprotected from an identical attack, the only thing needed is that the attack had to be done twice to change the passwords.
Muthiyah documented his discoveries and sent Microsoft a Proof-of-Concept video as proof. “The tech giant was quick in acknowledging the issue and a patch was issued in November 2020,” he said. “I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue,” Muthiyah commented.
However, this attack vector is not an easy one. To get over one seven-digit code would require heavy computing power and if it is combined with 2FA code, it could require millions of requests in total. The vulnerability was allotted a severity rating of “important” by Microsoft, according to an email screenshot that was shared by Muthiyah.
The bug bounty award of $50,000 to Muthiyah was issued on February 9 through the HackerOne bug bounty platform, which is a partner of Microsoft for distributing the bounties. Muthiyah received permission to publicize the vulnerability to the world on March 1, 2021.