A bug bounty hunter was awarded $50,000 by Microsoft for revealing a security vulnerability leading to account deprivation. The expert says that only ‘user accounts’ have an effect on vulnerabilities. The vulnerability has to do with launching a brute force attack to estimate that the seven-digit security code is sent via email or SMS in a reset password checking process.
Microsoft has granted $50,000 to the Security Researcher Laxman Muthiyah for revealing a vulnerability that could allow anyone to hijack the accounts of users without permission. Researcher Laxman Muthiyah informed in a blog post on Tuesday 2nd March, about the possibility of the particular security flaw.
“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that, we will be asked to select the email or mobile number that can be used to receive security code,” researcher Laxman Muthiyah wrote in the blog. “Once we receive the 7-digit security code, we will have to enter it to reset the password. Here, if we can brute force all the combination of 7-digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.”
In the past, Muthiyah found an Instagram-rate flaw that might contribute to take-up and then use the same tests to secure Microsoft’s account. The researcher found out that the rates are set to reduce the number of tries and safeguard the accounts. Examination of an HTTP POST application sent to verify the code showed that the code was encrypted before it was sent, which suggests that the authentication was broken in order to optimize brutal force attacks.
The analyst sent 1000 code requests, but only 122 were accepted, the remaining (1211 error code), resulted in an error, and all other requests prevented establishing the limit rate used for account protection. The analyst bypassed the blocking and encryption process by submitting simultaneous requests. It was found that, if all requests sent don’t really arrive at the server simultaneously, the mechanism blacklists the IP address.
That being said, in an actual scenario, the attacker must submit security codes possible, about 11 million request attempts, simultaneously required to modify a Microsoft account password (including those with 2FA enabled). In order to successfully complete the attack, such an attack would need several computer resources and 1000s of IP address.
Muthiyah has reported the problem to Microsoft that was immediately discovered and solved in November 2020.
“I received the bounty of USD 50,000 on Feb 9th, 2021 through hacker one and got approval to publish this article on March 1st. I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue. I also like to thank Microsoft for the bounty.” concluded Muthiyah
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.