A security researcher says Microsoft has awarded him a $50,000 bounty reward for reporting a vulnerability that could have potentially allowed for the takeover of any Microsoft account.
The issue, India-based independent security researcher Laxman Muthiyah reveals, could have been abused to reset the password of any account on Microsoft’s online services, but wasn’t that easy to exploit.
The attack, the researcher explains, targets the password recovery process that Microsoft has in place, which typically requires the user to enter their email or phone number to receive a security code, and then enter that code.
Typically, a 7-digit security code is received, meaning that the user is provided with one of 10 million possible codes.
An attacker who wants to gain access to the targeted user’s account would need to correctly guess the code or be able to try as many of these codes as possible, until they enter the correct one.
Microsoft has a series of mechanisms in place to prevent attacks, including limiting the number of attempts to prevent automated brute forcing and blacklisting an IP address if multiple consecutive attempts are made from it.
What Muthiyah discovered, however, was not only a technique to automate the sending of requests, but also the fact that the system would no longer block the requests if they reached the server simultaneously (even the slightest delay would trigger the defense mechanism).
“I sent around 1000 seven digit codes including the right one and was able to get the next step to change the password,” the researcher says.
The attack is valid for accounts without two-factor authentication (2FA) enabled, but even the second authentication step could be bypasse ..