Chennai, March 3
Microsoft has awarded a Chennai-based safety researcher $50,000 (roughly Rs 36 lakh) for recognizing vulnerability on the corporate’s on-line providers that “might need allowed anybody to takeover any Microsoft account with out consent”.
After assessing his report, the Microsoft safety staff patched the difficulty and rewarded him $50,000 as part of their Id Bounty Program, safety researcher Laxman Muthiyah wrote in a weblog put up on Tuesday.
Muthiyah earlier gained bug bounty from Fb for locating the same account takeover vulnerability in Instagram.
“I discovered Microsoft can also be utilizing the same method to reset consumer’s password so I made a decision to check them for any price limiting vulnerability,” he mentioned.
Muthiyah defined that to reset a Microsoft account’s password, customers must enter e mail tackle or cellphone quantity of their forgot password web page. After that they are going to be requested to pick the e-mail or cellular quantity that can be utilized to obtain the safety code.
As soon as they obtain the 7-digit safety code, they should enter it to reset the password.
“Right here, if we are able to bruteforce all the mix of seven digit code, we can reset any consumer’s password with out permission. However, clearly, there will likely be some price limits that can stop us from making a lot of makes an attempt,” he mentioned.
After a number of days of efforts, he was in a position to spot the account takeover flaw.
“Instantly, I recorded a video of all of the bypasses and submitted it to Microsoft together with detailed steps to breed the vulnerability. They had been fast in acknowledging the difficulty,” Muthiyah mentioned. — IANS