Microsoft has paid an Indian researcher $50,000 for finding a major vulnerability in its services. Laxman Muthiyah was awarded the sum as a part of Microsoft’s HackerOne bug bounty program; the vulnerability, had it gone undetected, could have allowed hackers to completely hijack a user’s account without any notification whatsoever.
Muthiyah had recently spotted a similar vulnerability in Instagram (for which he was awarded $30,000). Moreover. he spotted that both Instagram and Microsoft used a similar technique to reset a user’s password, so he decided to test if the same methods would work here too.
He then recorded a video and sent it as an email to Microsoft with detailed steps and instructions on the vulnerability. He stated that the issue was dealt with promptly, “The issue was patched in November 2020 and my case was assigned to different security impact than the one expected. I asked them to reconsider the security impact explaining my attack. After a few back and forth emails, my case was assigned to Elevation of Privilege (Involving Multi-factor Authentication Bypass). Due to the complexity of the attack, bug severity was assigned as important instead of critical.”
Muthiyah received the $50,000 bounty on February 9, 2021, while also getting permission to publish the vulnerability to the world on March 1, 2021.
Report by Chetali S M
Reported on – 04/03/2021