Security News > 2021 > March > Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability
A security researcher says Microsoft has awarded him a $50,000 bounty reward for reporting a vulnerability that could have potentially allowed for the takeover of any Microsoft account.
The attack, the researcher explains, targets the password recovery process that Microsoft has in place, which typically requires the user to enter their email or phone number to receive a security code, and then enter that code.
An attacker who wants to gain access to the targeted user's account would need to correctly guess the code or be able to try as many of these codes as possible, until they enter the correct one.
Microsoft has a series of mechanisms in place to prevent attacks, including limiting the number of attempts to prevent automated brute forcing and blacklisting an IP address if multiple consecutive attempts are made from it.
"Putting all together, an attacker has to send all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account," the researcher says.
Microsoft awarded the researcher a $50,000 bug bounty reward as part of its Identity Bounty Program, assessing the vulnerability with a severity rating of important and considering it an "Elevation of Privilege" - this type of issue has the highest security impact in Microsoft's Identity Bounty Program.