Leave it to security researchers to show Microsoft it still has a few chinks in the armor despite its many security apps and features. It's a good thing Microsoft has its bounty program in place to reward them the big bucks.
Security researcher Laxman Muthiyah found a vulnerability that could allow anyone to takeover any Microsoft account. It took a few million codes to be sent simultaneously to hijack the accounts, which wasn't exactly an easy process.
- Old malware conquered Google's SEO algorithm — hacked websites look legit
- What is a VPN, and why you should be using one
- Someone hacked into Apple and PayPal and they didn't even know it happened
Microsoft Account Takeover! 😊😇 Thank you very much @msftsecresponse for the bounty! 🙏🙏🙏Write up - https://t.co/9ATsxAUfeB pic.twitter.com/pDEYv5f400March 2, 2021
By using a brute-force attack, a way for hackers to gain access into restricted accounts by guessing a combination of codes or passwords correctly in a systematic manner, Muthiyah could take control of anyone's account. The good news is he notified the Microsoft security team and the issue is now patched. Oh, and he was rewarded $50,000 for his efforts.
When researching loopholes in Microsoft's online services, Muthiyah tested vulnerabilities around resetting a Microsoft account’s password. This is when users will need to enter their email address or phone number to recover their account.
Users are then asked to use either their email or mobile number on their laptop or smartphone to receive a security code in order to update their password, which consists of a 7 digit security code.
"Here, if we can brute-force all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission," Muthiyah said. However, Microsoft has a rate limit, meaning hackers only have a limited amount of attempts to get the correct security code before being locked out indefinitely.
The researcher sent out 1,000 codes, with only 122 registering before the rest were invalid. Eventually, he discovered that sending the codes simultaneously let him send a very large number of them at once. These needed to be sent exactly at the same time, not even a few milliseconds apart, otherwise the IP address he used would be blacklisted.
He was then able to change the password of the Microsoft account, effectively hijacking the account. Muthiyah noted this would be a lot of work for hackers to do, as he states bad actors would need to send "all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled)."
A lot of work, but there was a nice payout. Muthiyah goes into further detail about his experience and process of discovering the vulnerability over on The Zero Hack.