Bug bounty hunter awarded $50,000 for a Microsoft account hijack flaw

Bug bounty hunter awarded $50,000 for a Microsoft account hijack flaw

A researcher received a $50,000 bug bounty by Microsoft for having reported a vulnerability that could’ve allowed to hijack any account.


Microsoft has awarded the security researcher Laxman Muthiyah $50,000 for reporting a vulnerability that could have allowed anyone to hijack users’ accounts without consent.

According to the expert, the vulnerability only impacts consumer accounts.


The vulnerability is related to the possibility to launch a bruteforce attack to guess the seven-digit security code that is sent via email or SMS as a method of verification in password reset procedure.


“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that we will be asked to select the email or mobile number that can be used to receive security code.” the expert wrote. “Once we receive the 7 digit security code, we will have to enter it to reset the password. Here, if we can bruteforce all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.”


The researcher pointed out that rate limits are implemented to limit the number of attempts and protect the accounts.


The analysis of the HTTP POST request sent to validate the code revealed that the code is encrypted before being sent, this means that in order to automate bruteforce attacks it was necessary to break the encryption.


“If you look at the screenshot above, the code 1234567 we entered was nowhere present in the request. It ..

Support the originator by clicking the read the rest link below.