After assessing his report, the Microsoft security team patched the issue and rewarded him $50,000 as a part of their Identity Bounty Program, security researcher Laxman Muthiyah wrote in a blog post
Chennai: Microsoft has awarded a Chennai-based security researcher $50,000 (approximately Rs 36 lakh) for spotting vulnerability on the company’s online services that “might have allowed anyone to takeover any Microsoft account without consent”.
After assessing his report, the Microsoft security team patched the issue and rewarded him $50,000 as a part of their Identity Bounty Program, security researcher Laxman Muthiyah wrote in a blog post on Tuesday. Muthiyah earlier won bug bounty from Facebook for finding a similar account takeover vulnerability in Instagram.
“I found Microsoft is also using the similar technique to reset user’s password so I decided to test them for any rate limiting vulnerability,” he said.
Muthiyah explained that to reset a Microsoft account’s password, users need to enter email address or phone number in their forgot password page. After that they will be asked to select the email or mobile number that can be used to receive the security code.
Once they receive the 7-digit security code, they will have to enter it to reset the password.
“Here, if we can bruteforce all the combination of 7 digit code, we will be able to reset any user’s password without permission. But, obviously, there will be some rate limits that will prevent us from making a large number of attempts,” he said.
After several days of efforts, he was able to spot the account takeover flaw.
“Immediately, I recorded a video of all the bypasses and submitted it to Microsoft along with detailed steps to reproduce the vulnerability. They were quick in acknowledging the issue,” Muthiyah said.