Indian security researcher gets Rs 36 lakh reward from Microsoft for bug alert

Security researcher Laxman Muthiyah earlier won bug bounty from Facebook for finding a similar account takeover vulnerability in Instagram.
Laxman Muthiyah
Laxman Muthiyah
Written by:

Microsoft has awarded $50,000 (approximately Rs 36 lakh) to a Chennai-based security researcher for spotting vulnerability on the company's online services that "might have allowed anyone to take over any Microsoft account without consent".

After assessing his report, the Microsoft security team patched the issue and rewarded him $50,000 as a part of their Identity Bounty Program, security researcher Laxman Muthiyah wrote in a blog post on Tuesday.

Muthiyah had earlier won bug bounty from Facebook for finding a similar account takeover vulnerability in Instagram.

"I found Microsoft is also using the similar technique to reset user's password so I decided to test them for any rate limiting vulnerability," he said.

Muthiyah explained that to reset a Microsoft account's password, users need to enter email address or phone number in their forgot password page. After that, they will be asked to select the email or mobile number that can be used to receive the security code. 

Once they receive the 7-digit security code, they will have to enter it to reset the password.

"Here, if we can bruteforce all the combination of 7 digit code, we will be able to reset any user's password without permission. But, obviously, there will be some rate limits that will prevent us from making a large number of attempts," he said.

"Putting all together, an attacker has to send all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled)," he added.  

After several days of efforts, he was able to spot the account takeover flaw.

"Immediately, I recorded a video of all the bypasses and submitted it to Microsoft along with detailed steps to reproduce the vulnerability. They were quick in acknowledging the issue," Muthiyah said.

Related Stories

No stories found.
The News Minute
www.thenewsminute.com