A security researcher won a $50,000 from Microsoft after discovering and then disclosing a zero-day vulnerability. The flaw in question would allow threat actors to hijack Microsoft Account holders and steal their information.
Researcher Laxman Muthiyah discussed both the vulnerability and Microsoft’s rewards in a blog post this week. He says the security hole would have allow attacker or “anyone” to “over any Microsoft account without consent [or] permission.”
Still, it may seem “any Microsoft account” is an overstatement because it looks like the flaw affects just consumer accounts. The problem stems from the way Microsoft handles password reset, specifically the “Forgotten Password” page.
Here is where account holders can reset a password they have forgotten. Microsoft asks for an email address or phone number to send a code to confirm the account holder. The code is a seven-digit number verification that users need before setting their new password.
If an attacker leveraged a brute force attack to get the verification code, they could reset a user account without permission. Of course, Microsoft does not leave the door open and uses rate limits and encryption techniques.
Muthiyah says he could “work out” Microsoft’s encryption and then “automate the entire process from encrypting the code to sending multiple concurrent requests.”
Getting the Key to the Gate
He then started an experiment using 1000 code attempts, with 122 getting processed. The rest were blocked or returned an error. The researcher says the method of sending many requests at once allowed him to bypass the encryption and blocking tools if the requests did not get delayed. By editing the attach to send requests without delay, he was able to get verification codes.
Muthiyah admits the attack would not be simple in a real-world situation because of the heavy computing needed to even bypass a single code. If a Microsoft Account has two factor-authentication (2FA), it would require millions of simultaneous requests.
Still, it’s a clear hole in Microsoft system, so, Muthiyah send a proof-of-concept (PoC) to the company. He said Microsoft was “quick in acknowledging the issue” and had issued a full patch by November last year.
Because of the complex attack method, Microsoft did not view the vulnerability as critical. Instead, the company is labelling it as “important” in terms of severity. On February 9, Microsoft rewarded the researcher with $50,000 per its bug bounty program.
Tip of the day:
Fast startup (a.k.a hiberboot, hybrid boot, hybrid shutdown) is a power setting that adjusts the OS’ behavior when it starts up and shuts down. Though it is unlikely fast startup will seriously harm your computer, there are a few reasons you might want to disable it following our tutorial.