A bug hunter revealed a security flaw that could have allowed Microsoft accounts to be hijacked. Become a major flaw, which allowed him to pocket $ 50,000 in rewards.
Microsoft awarded $ 50,000 to a bug hunter for revealing a vulnerability that could lead to account hijacking.
In a blog post published Tuesday, researcher LaxmanMuthiyah explains that the security breach could "have allowed anyone to take control of any Microsoft account without authorization." However, as noted in a discussion of the survey, it only concerned consumer accounts.
LaxmanMuthiyah first found a bit rate limiting bug on Instagram. He then applied the same protection tests to Microsoft accounts.
To reset the password for a Microsoft account, you must submit your email address or phone number via the "Forgot password" page. A seven-digit security code is then sent as a verification method and must be provided in order to create a new password. Using a brute force attack to obtain the seven-digit code could allow the password to be reset without the authorization of the account owner. However, to avoid this, there are traffic, encryption, and controls limitations.
After a review of Microsoft's defenses, LaxmanMuthiyah was able to "hijack" the company's encryption and "automate the whole process, from encrypting the code to sending multiple simultaneous requests." During one of the tests, 1000 codes were sent. But only 122 were processed, the rest resulting in an error or being blocked.
By sending simultaneous requests, however, the researcher was able to bypass both the encryption and the blocking mechanism. This technique works as long as there is no delay because even a few "milliseconds" would have been enough for the requests to be detected and put on a blacklist, according to the researcher. LaxmanMuthiyah was able to develop his attack through parallel processing, which sent all requests at the same time without any delay. He thus succeeded in obtaining the correct code.
A flaw judged "important"
However, in the real world, this attack vector is not straightforward. To bypass a seven-digit code would require significant computing power, and if we add to that the need to also break an accompanying 2FA code - when this feature is enabled on the targeted Microsoft account - millions of requests might be needed in total.
LaxmanMuthiyah shared his findings and sent Microsoft a Proof-of-Concept (POC) video. The researcher claims that the tech giant “quickly recognized the problem” and released a patch in November 2020. The vulnerability was rated “important” by Microsoft, due to the complexity of manipulation to exploit it, and has been classified as "elevation of privilege (including bypassing multi-factor authentication)," according to the screenshot of the email, shared by the researcher.
The $ 50,000 bonus was awarded to the researcher on February 9 via the HackerOne platform, which manages the distribution of bug bounty program rewards. Microsoft is offering $ 1,500 to $ 100,000 for reporting a valid security breach. “I would like to thank Dan, Jarek, and the entire CRSM team for patiently listening to all of my comments, providing updates, and correcting the problem,” commented the researcher. Microsoft's Security Response Center (MSRC) thanked the researcher for his findings.
On the same subject, Microsoft urgently released four fixes for zero-day vulnerabilities exploiting the Exchange server.