Flaw allowed bypassing verification code, log in to any Microsoft account

Flaw allowed bypassing verification code, log in to any Microsoft account

A bug bounty hunter has received $50,000 from Microsoft for identifying and reporting vulnerability that would involve brute-forcing the 7-digit security code sent to a user to verify identity and access their account.



 


Independent security researcher and white-hat hacker Laxman Muthiyah reported a vulnerability to Microsoft that could brute-force the 7-digit security code sent to a user’s mobile number or email address to validate identity and reset the password to get access to the account.


Microsoft has awarded Muthiyah a $50,000 reward under its bug bounty program for reporting the flaw that could allow a threat actor to hijack just about any Microsoft account.


Muthiyah is no stranger to identifying critical bugs. In 2019 he identified a bug that could allow anyone to carry out brute-force attacks for hacking Instagram accounts and was rewarded $30,000.


In 2015, Muthiyah identified a flaw that could allow him to delete all photos from anyone’s Facebook account.


The recent flaw is another account takeover scenario, which allows privilege escalation stemming from an authentication bypass used to verify the code sent as the account recovery process.



Bug Fixed in 2020


Microsoft fixed the bug in November 2020, much before the details were shared publicly by Muthiyah in his blog post published on Tuesday. His tests showed that out of the 1000 codes sent, just 122 got through, and the others were blocked with 1211 error code.



 


Despite the encryption barriers and rate-limiting checks in place to automa ..