Microsoft account hijack vulnerability earns bug bounty hunter $50,000

The researcher says he could have abused the bug to hijack Microsoft accounts.
Written by Charlie Osborne, Contributing Writer

Microsoft has awarded a bug bounty hunter $50,000 for disclosing a vulnerability leading to account hijacking. 

In a blog post on Tuesday, researcher Laxman Muthiyah said the security flaw could "have allowed anyone to take over any Microsoft account without consent [or] permission." 

However, as noted in a discussion concerning the report, this may only apply to consumer accounts.

Muthiyah previously found an Instagram rate limiting bug that could lead to account takeover and applied the same tests to Microsoft's account protections. 

In order to reset a password for a Microsoft account, the company requires an email address or phone number to be submitted through a "Forgotten Password" page. A seven-digit security code is then sent as a method of verification and needs to be provided in order to create a new password. 

Utilizing a brute-force attack to obtain the seven-digit code would lead to password resets without the account owner's permission. However, to stop these attacks in their tracks, rate limits, encryption, and checks are imposed. 

After examining Microsoft's defenses, Muthiyah was able to "work out" the company's encryption and "automate the entire process from encrypting the code to sending multiple concurrent requests."

An experiment involved 1000 code attempts being sent but only 122 were processed -- whereas the others resulted in an error and further requests from the test account were blocked. 

By sending simultaneous requests, however, the bug bounty hunter was able to circumvent both encryption and the blocking mechanism -- as long as there was no delay in requests, as even a few "milliseconds" was enough for requests to be detected and blacklisted, according to the researcher.

Muthiyah was able to tweak his attack by way of parallel processing, which sends all requests at the same time without any delay, and successfully obtain the correct code. 

However, in real-world scenarios, this attack vector is not a simple one. To bypass one seven-digit code would take heavy computing power, and if combined with the need to also break an accompanying 2FA code -- when this feature is enabled on a target Microsoft account -- this could require millions of requests in total. 

Muthiyah reported his findings and sent Microsoft a Proof-of-Concept (PoC) video as evidence. The bug bounty hunter said that the tech giant was "quick in acknowledging the issue" and a patch was issued in November 2020. 

The vulnerability was assigned a severity rating of "important" by Microsoft -- due to the complexity of triggering exploits through the bug -- and was described as an "elevation of privilege (including multi-factor authentication bypass)," according to an email screenshot shared by Muthiyah. 

The bug bounty award of $50,000 was issued on February 9 via the HackerOne bug bounty platform, a partner for distributing rewards. Microsoft offers between $1,500 and $100,000 for valid bug reports

"I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue," Muthiyah commented.

The Microsoft Security Response Center thanked the researcher for his findings. 

In related Microsoft news, the Redmond giant has recently issued emergency patches to address four zero-day vulnerabilities impacting Exchange Server. 

A Microsoft spokesperson told ZDNet:

"This issue was addressed in December 2020 and customers are automatically protected."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards