shot-button
E-paper E-paper
Home > Technology News > Indian techies bug alert wins Rs 36 lakh from Microsoft

Indian techie's bug alert wins Rs 36 lakh from Microsoft

Updated on: 04 March,2021 09:42 AM IST  |  Chennai
IANS |

After assessing his report, the Microsoft security team patched the issue and rewarded him $50,000 as a part of their Identity Bounty Program, security researcher Laxman Muthiyah wrote in a blog post on Tuesday.

Indian techie's bug alert wins Rs 36 lakh from Microsoft

Microsoft logo is pictured at the Microsoft Annual Shareholders Meeting in Bellevue, Washington. Pic/AFP

Microsoft has awarded a Chennai-based security researcher $50,000 (approximately Rs 36 lakh) for spotting vulnerability on the company's online services that "might have allowed anyone to takeover any Microsoft account without consent".


After assessing his report, the Microsoft security team patched the issue and rewarded him $50,000 as a part of their Identity Bounty Program, security researcher Laxman Muthiyah wrote in a blog post on Tuesday.


Muthiyah earlier won bug bounty from Facebook for finding a similar account takeover vulnerability in Instagram. "I found Microsoft is also using the similar technique to reset user's password so I decided to test them for any rate limiting vulnerability," he said.


Muthiyah explained that to reset a Microsoft account's password, users need to enter email address or phone number in their forgot password page. After that they will be asked to select the email or mobile number that can be used to receive the security code.

Once they receive the 7-digit security code, they will have to enter it to reset the password. "Here, if we can bruteforce all the combination of 7 digit code, we will be able to reset any user's password without permission. But, obviously, there will be some rate limits that will prevent us from making a large number of attempts," he said.

After several days of efforts, he was able to spot the account takeover flaw. "Immediately, I recorded a video of all the bypasses and submitted it to Microsoft along with detailed steps to reproduce the vulnerability. They were quick in acknowledging the issue," Muthiyah said.

This story has been sourced from a third party syndicated feed, agencies. Mid-day accepts no responsibility or liability for its dependability, trustworthiness, reliability and data of the text. Mid-day management/mid-day.com reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever

"Exciting news! Mid-day is now on WhatsApp Channels Subscribe today by clicking the link and stay updated with the latest news!" Click here!


Mid-Day Web Stories

Mid-Day Web Stories

This website uses cookie or similar technologies, to enhance your browsing experience and provide personalised recommendations. By continuing to use our website, you agree to our Privacy Policy and Cookie Policy. OK