Researcher Laxman Muthiyah Awarded with $50,000 for Detecting a Flaw in Microsoft Account

Researcher Laxman Muthiyah Awarded with $50,000 for Detecting a Flaw in Microsoft Account

A bug bounty hunter was awarded $50,000 by Microsoft for revealing a security vulnerability leading to account deprivation. The expert says that only ‘user accounts’ have an effect on vulnerabilities. The vulnerability has to do with launching a brute force attack to estimate that the seven-digit security code is sent via email or SMS in a reset password checking process. 

Microsoft has granted $50,000 to the Security Researcher Laxman Muthiyah for revealing a vulnerability that could allow anyone to hijack the accounts of users without permission. Researcher Laxman Muthiyah informed in a blog post on Tuesday 2nd March, about the possibility of the particular security flaw. 

“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that, we will be asked to select the email or mobile number that can be used to receive security code,” researcher Laxman Muthiyah wrote in the blog. “Once we receive the 7-digit security code, we will have to enter it to reset the password. Here, if we can brute force all the combination of 7-digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.” 

In the past, Muthiyah found an Instagram-rate flaw that might contribute to take-up and then use the same tests to secure Microsoft's account. The researcher found out that the rates are set to reduce the number of tries and safeguard the accounts. Examination of an HTTP POST application sent to verify the code showed that the code was encrypted before it was sent, which suggests that the authentication was broken in order to optimize brutal force attacks. 

The analyst sent 1 ..

Support the originator by clicking the read the rest link below.