Home News A $50,000 Bug Could’ve Allowed Hackers Access Any Microsoft Account

    A $50,000 Bug Could’ve Allowed Hackers Access Any Microsoft Account


    Microsoft has awarded an impartial safety researcher $50,000 as a part of its bug bounty program for reporting a flaw that might have allowed a malicious actor to hijack customers’ accounts with out their data.

    Reported by Laxman Muthiyah, the vulnerability goals to brute-force the seven-digit safety code that is despatched to a consumer’s electronic mail handle or cellular quantity to corroborate his (or her) identification earlier than resetting the password with the intention to get better entry to the account.

    Put in another way, the account takeover situation is a consequence of privilege escalation stemming from an authentication bypass at an endpoint which is used to confirm the codes despatched as a part of the account recovery process.

    The corporate addressed the problem in November 2020, earlier than particulars of the flaw got here to mild on Tuesday.

    Though there are encryption boundaries and rate-limiting checks designed to forestall an attacker from repeatedly submitting all the ten million mixtures of the codes in an automatic vogue, Muthiyah mentioned he finally cracked the encryption perform used to cloak the safety code and ship a number of concurrent requests.

    Certainly, Muthiyah’s checks confirmed that out of 1000 codes that had been despatched, solely 122 of them acquired by way of, with the others blocked with the error code 1211.

    “I noticed that they’re blacklisting the IP handle [even] if all of the requests we ship do not hit the server on the identical time,” the researcher said in a write-up, including that “just a few milliseconds delay between the requests allowed the server to detect the assault and block it.”

    Following this discovery, Muthiyah mentioned he was capable of get across the rate-limiting constraint and attain the following step of fixing the password, thereby permitting him to hijack the account.

    Whereas this assault solely works in circumstances the place the account is just not secured by two-factor authentication, it could actually nonetheless be prolonged to defeat the 2 layers of safety and modify a goal account’s password — one thing that could possibly be prohibitive given the quantity of computing sources required to mount an assault of this sort.

    “Placing all collectively, an attacker has to ship all the probabilities of 6 and seven digit safety codes that will be round 11 million request makes an attempt and it needs to be despatched concurrently to alter the password of any Microsoft account (together with these with 2FA enabled),” Muthiyah mentioned.

    Individually, Muthiyah additionally employed the same method to Instagram’s account recovery stream by sending 200,000 concurrent requests from 1,000 totally different machines, discovering that it was potential to attain account takeover. He was rewarded $30,000 as a part of the corporate’s bug bounty program.

    “In an actual assault situation, the attacker wants 5000 IP addresses to hack an account,” Muthiyah famous. “It sounds huge however that is really simple when you use a cloud service supplier like Amazon or Google. It will price round 150 {dollars} to carry out the whole assault of 1 million codes.”

    Source link