An Indian man, who is a researcher, wins a sum of Rs. 36 lakhs from Microsoft under the company’s bug bounty program. Microsoft has paid $ 50,000 i.e., in Indian currency a sum of ₹36,36,875 approx., to an Indian man to find a major vulnerability in its services which was making people’s Microsoft accounts susceptible to getting hijacked. This Techie, known as Laxman Muthiyan, was honored as a part of Microsoft’s HackerOne bug bounty program. The vulnerability, had it become undefined, could allow hackers to completely hijack a user’s account without notification.
Muthiyah recently showed a similar vulnerability on Instagram (for which he was awarded $ 30,000), the Instagram rate limiting bug, that he found, could also be used to hijack someone’s account. So, when he discovered that both Instagram and Microsoft used a similar technique to reset a user’s password, he decided to test Microsoft with the same methods as well, which he suspected will work.
Muthiyan observed that even though the site was not allowing hackers to force authentication keys to enable password reset, he saw that play’s encryption technology automates the whole process from encrypting the code to sending multiple persistent requests.
He sent 1000 codes, of which only 122 received an odd 1211 error code. The same is not happening with the actual code received from the account via email. He later found out that these other codes were being blocked because the server would have blacklisted their IP addresses if all sent requests didn’t hit the server at the same time.
Laxman then rotated the code to deal with the situation and it worked. He sent 1000-digit codes and was successful in getting the option to change the password. While this was the result of accounts without 2-factor authentication, they observed that for 2FA they were both the same endpoint and vulnerable to the same attack. To get access to change the password, the hacker will have to do this only twice.
Muthiyan said, “Putting all together, an attacker has to send all the possibilities of 6- and 7-digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled).”
He recorded a comprehensive video that had all the detailed steps and instructions on the vulnerability and then finally sent it as an email to Microsoft. He mentioned that the issue was dealt promptly by Microsoft. Muthiyan received a sum of $ 50,000 reward on February 9, 2021, while on March 1, 2021, the world was allowed to publish the vulnerability.
“The issue was patched in November 2020 and my case was assigned to different security impact than the one expected. I asked them to reconsider the security impact explaining my attack. After a few back-and-forth emails, my case was assigned to Elevation of Privilege (Involving Multi-factor Authentication Bypass). Due to the complexity of the attack, bug severity was assigned as important instead of critical.”
— Laxman Muthiyah (@LaxmanMuthiyah) March 2, 2021