Indian Guy Awarded ?36 Lakh By Microsoft For Spotting A Hacker Vulnerability

Microsoft has paid an Indian researcher $50,000 for finding a major vulnerability in its services. Laxman Muthiyah was awarded the sum as a part of Microsoft¡¯s HackerOne bug bounty program; the vulnerability, had it gone undetected, could have allowed hackers to completely hijack a user¡¯s account without any notification whatsoever.

Facebook: Laxman Muthiyah

Muthiyah had recently spotted a similar vulnerability in Instagram (for which he was awarded $30,000). Moreover. he spotted that both Instagram and Microsoft used a similar technique to reset a user¡¯s password, so he decided to test if the same methods would work here too.

He saw that even though the site wasn¡¯t allowing the hacker to brute force the authentication key to enable password reset, he saw that the encryption technique at play was automating the entire process from encrypting the code to sending multiple consecutive requests.

He sent 1000 codes out of which only 122 got through with the rest getting a strange 1211 error code. The same wasn¡¯t happening from the actual code received from the account via email. Later he discovered that these other codes were being blocked as the service had blacklisted their IP address if all sent requests didn¡¯t hit the server at the same time.

Laxman then tweaked the code to deal with this situation and it worked. He sent 1000 seven-digit codes and managed to get the option to change the password. While this was the result of accounts without 2-factor authentication, he saw that for 2FA they both had the same endpoint and were vulnerable to the same attack. The hacker will just have to do this twice to get access to changing passwords.

Muthiyan explained, ¡°Putting all together, an attacker has to send all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled).¡±

Reuters

He then recorded a video and sent it as an email to Microsoft with detailed steps and instructions on the vulnerability. He stated that the issue was dealt with promptly, ¡°The issue was patched in November 2020 and my case was assigned to different security impact than the one expected. I asked them to reconsider the security impact explaining my attack. After a few back and forth emails, my case was assigned to Elevation of Privilege (Involving Multi-factor Authentication Bypass). Due to the complexity of the attack, bug severity was assigned as important instead of critical.¡±

Muthiyah received the $50,000 bounty on February 9, 2021, while also getting permission to publish the vulnerability to the world on March 1, 2021.