Recently, an independent security researcher has discovered a serious flaw that could have allowed malicious threat actors to access any Microsoft account without the user’s knowledge. Microsoft has awarded Laxman Muthiyah $50,000 as part of its bug bounty program for reporting the serious flaw.
The vulnerability aims to brute-force the seven-digit security code that’s sent to a user’s email address or mobile number to corroborate his (or her) identity before resetting the password in order to recover access to the account. Microsoft addressed the issue back in November 2020 but the actual flaw was reported by Laxman Muthiyah in March 2021.
Although there are encryption barriers and rate-limiting checks designed to prevent an attacker from repeatedly submitting all the 10 million combinations of the codes in an automated fashion, Muthiyah said he eventually cracked the encryption function used to cloak the security code and send multiple concurrent requests. Indeed, Muthiyah’s tests showed that out of 1000 codes that were sent, only 122 of them got through, with the others blocked with the error code 1211.