A serious flaw could have allowed malicious actor to hijack

Flaw Blogs | IEMLabs

Recently, an independent security researcher has discovered a serious flaw that could have allowed malicious threat actors to access any Microsoft account without the user’s knowledge. Microsoft has awarded Laxman Muthiyah $50,000 as part of its bug bounty program for reporting the serious flaw.

The vulnerability aims to brute-force the seven-digit security code that’s sent to a user’s email address or mobile number to corroborate his (or her) identity before resetting the password in order to recover access to the account. Microsoft addressed the issue back in November 2020 but the actual flaw was reported by Laxman Muthiyah in March 2021.

Although there are encryption barriers and rate-limiting checks designed to prevent an attacker from repeatedly submitting all the 10 million combinations of the codes in an automated fashion, Muthiyah said he eventually cracked the encryption function used to cloak the security code and send multiple concurrent requests. Indeed, Muthiyah’s tests showed that out of 1000 codes that were sent, only 122 of them got through, with the others blocked with the error code 1211.

By Hrithik Lall

IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!