Microsoft has awarded a bug bounty hunter $50,000 for disclosing a vulnerability leading to account hijacking.
The researcher Laxman Muthiyah said that the security flaw could have allowed anyone to take over any Microsoft account without their permission. However, this may only apply to consumer accounts.
Muthiyah who had earlier found an Instagram rate limiting bug that could lead to account takeover applied the same tests to Microsoft’s account protections.
In order to reset a password for a Microsoft account, an email address or phone number has to be submitted through a “Forgotten Password” page. After that a seven-digit security code is sent as a method of verification which needs to be provided in order to create a new password.
By performing a brute-force attack, one could have got the seven-digit code that could lead to password resets without the account owner’s permission. However, to stop these attacks in their tracks, rate limits, encryption, and checks are imposed.
The researcher after checking Microsoft’s defenses, managed to get the company’s encryption and “automate the entire process from encrypting the code to sending multiple concurrent requests.”
An experiment involved 1000 code attempts being sent but only 122 were processed — whereas the others resulted in an error and further requests from the test account were blocked.
The bug bounty hunter sent simultaneous requests, and managed to circumvent both encryption and the blocking mechanism — as long as there was no delay in requests, as even a few “milliseconds” was enough for requests to be detected and blacklisted.
Muthiyah was able to twist his attack by way of parallel processing, which sends all requests at the same time without any delay, and successfully obtain the correct code.
It is important to note that in real-world scenarios, this attack vector is not an easy one. To bypass a seven-digit code takes heavy computing power, and to also break an accompanying 2FA, it might take millions of requests in total.
Muthiyah reported his findings and sent Microsoft a Proof-of-Concept (PoC) video as evidence to which a patch was issued immediately by the tech giant in November 2020.
The vulnerability which was assigned a severity rating of “important” by Microsoft was described as an “elevation of privilege (including multi-factor authentication bypass).
The Microsoft Security Response Center thanked the researcher for his findings and he was rewarded with $50,000 on February 9 via the HackerOne bug bounty platform, a partner for distributing rewards.