Microsoft awards around Rs 37 lakhs bounty to Chennai-based security researcher: Here’s the reason

Microsoft has awarded a bounty of $50000 (around Rs 37 lakhs) to a Chennai-based security researcher, Laxman Muthiyah for drawing attention to a “potential vulnerability” on Microsoft online services. Muthiyah wrote in a blog post that the vulnerability might have allowed anyone to take over any Microsoft account on the company’s online services without consent permission.

The issue has since then been patched by the Microsoft security team. The bounty was rewarded to Muthiyah as part of Microsoft’s Identity Bounty Program. The security researcher said that the vulnerability in Microsoft online services was similar to a loophole in Instagram that was discovered by him previously.

Microsoft awards $50000 to Chennai-based developer: What was the loophole?

Muthiyah was to potentially take over anyone’s account on Microsoft online services by exploiting a vulnerability where a user needs to enter a 7-digit code sent on their email address or phone number to reset their password, in their forgot password page.

“Once we receive the 7 digit security code, we will have to enter it to reset the password. Here, if we can bruteforce all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission,” he explained.

“But, obviously, there will be some rate limits that will prevent us from making large number of attempts.” However, after a few days of effort, he was successfully able to spot the flaw that allowed him to take over someone’s account on Microsoft online services.

Microsoft patched the issue in November

“Immediately, I recorded a video of all the bypasses and submitted it to Microsoft along with detailed steps to reproduce the vulnerability. They were quick in acknowledging the issue,” the researcher pointed out. According to the researcher, Microsoft patched the issued in November 2020. Consequently, Muthiyah was awarded a bounty of $50,000 on February 9, 20201, he revealed.

Go to Source

Leave a Reply

Your email address will not be published.