Security News > 2021 > March > A $50,000 Bug Could've Allowed Hackers Access Any Microsoft Account
Microsoft has awarded an independent security researcher $50,000 as part of its bug bounty program for reporting a flaw that could have allowed a malicious actor to hijack users' accounts without their knowledge.
Reported by Laxman Muthiyah, the vulnerability aims to brute-force the seven-digit security code that's sent to a user's email address or mobile number to corroborate his identity before resetting the password in order to recover access to the account.
Put differently, the account takeover scenario is a consequence of privilege escalation stemming from an authentication bypass at an endpoint which is used to verify the codes sent as part of the account recovery process.
While this attack only works in cases where the account is not secured by two-factor authentication, it can still be extended to defeat the two layers of protection and modify a target account's password - something that could be prohibitive given the amount of computing resources required to mount an attack of this kind.
"Putting all together, an attacker has to send all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account," Muthiyah said.
Separately, Muthiyah also employed a similar technique to Instagram's account recovery flow by sending 200,000 concurrent requests from 1,000 different machines, finding that it was possible to achieve account takeover.
News URL
Related news
- New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access (source)
- Microsoft: Vanilla Tempest hackers hit healthcare with INC ransomware (source)
- A Hacker's Era: Why Microsoft 365 Protection Reigns Supreme (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)