Researcher Awarded $50,000 by Microsoft under its Bug Bounty Program for spotting A Hacker Vulnerability


    Microsoft recently awarded a sum of $50,000 to a Bug Bounty Hunter for disclosing a major vulnerability in its services that might have resulted in account hijacking. Laxman Muthiyah an Indian researcher was awarded the prize as a part of Microsoft’s HackerOne bug bounty program. The vulnerability found could have enabled any user to access any Microsoft account without authorization.

    Muthiyah had previously discovered a similar vulnerability in Instagram that would have resulted in account hacking for this he was awarded a sum of $30,000. Furthermore, he discovered both vulnerabilities utilizing the same technique to reset a user’s password.

    Muthiyah noticed that for resetting the password using the “forgotten password”, the company asks for an email address or phone number. After which a 7 digit code is sent to the provided email or number for verification entering that the password can be changed. Even though the website doesn’t enable the hackers to brute force the authentication key to enable password reset by limiting rates, imposing checks, and encryption. Muthiyah figured out that the company’s encryption that was being used was to automate the whole procedure from encrypting the code to sending multiple consecutive requests.

    The process involved sending out 1000 codes out of which only 122 were able to breakthrough while the others got an error code and further requests from the test account were blocked. Muthiyah later was able to get around both the blocking mechanism and encryption. He discovered that even limited “milliseconds” were sufficient for requests to be observed and blocked.

    To tackle this problem Muthiyah then proceeded with his attack by the strategy of parallel processing, he transmitted 1000 seven-digit codes and was able to get the correct code to change the password. He even observed that for 2-factor authentication, they had the exact endpoint and were unprotected from an identical attack, the only thing needed is that the attack had to be done twice to change the passwords.

    Muthiyah documented his discoveries and sent Microsoft a Proof-of-Concept video as proof. “The tech giant was quick in acknowledging the issue and a patch was issued in November 2020,” he said. “I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue,” Muthiyah commented.

    However, this attack vector is not an easy one. To get over one seven-digit code would require heavy computing power and if it is combined with 2FA code, it could require millions of requests in total. The vulnerability was allotted a severity rating of “important” by Microsoft, according to an email screenshot that was shared by Muthiyah.

    The bug bounty award of $50,000 to Muthiyah was issued on February 9 through the HackerOne bug bounty platform, which is a partner of Microsoft for distributing the bounties. Muthiyah received permission to publicize the vulnerability to the world on March 1, 2021.

    Recent Articles

    Applitools partners with Sogeti on 2021 State of Artificial Intelligence applied to Quality Engineering Report

      Applitools, a developer of next-generation test automation platforms such as Ultrafast Test Cloud and Visual AI, announced on the 26th of July that it...

    Trending in Testing Weekly Newsletter #4

      We are excited to present the 4th edition of “Trending in Testing” Weekly Newsletter. Here are the latest updates: Trending News: 1. Robotic Process Automation (RPA)...

    8 Great Resources to learn Testing and Automation in 2021

      One of the important stages in the development of the software process is software testing. There are hundreds of tools out there in the...

    Cypress 8.0.0 released with New Features and Bugfixes recently released Cypress 8.0.0 version, the new version comes with numerous bug fixes and new features. With the new version, all browsers will...

    Robotic Process Automation (RPA) Developer Career Path – Are you Ready to Begin?

      Are you interested in becoming a Robotic Process Automation (RPA) Developer? You might be asking yourself, “What is RPA?”, and that’s a perfectly valid question....

    Related Stories

    Stay on op - Ge the daily news in your inbox