Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability
A security researcher says Microsoft has awarded him a $50,000 bounty reward for reporting a vulnerability that could have potentially allowed for the takeover of any Microsoft account.
The issue, India-based independent security researcher Laxman Muthiyah reveals, could have been abused to reset the password of any account on Microsoft’s online services, but wasn’t that easy to exploit.
The attack, the researcher explains, targets the password recovery process that Microsoft has in place, which typically requires the user to enter their email or phone number to receive a security code, and then enter that code.
Typically, a 7-digit security code is received, meaning that the user is provided with one of 10 million possible codes.
An attacker who wants to gain access to the targeted user’s account would need to correctly guess the code or be able to try as many of these codes as possible, until they enter the correct one.
Microsoft has a series of mechanisms in place to prevent attacks, including limiting the number of attempts to prevent automated brute forcing and blacklisting an IP address if multiple consecutive attempts are made from it.
What Muthiyah discovered, however, was not only a technique to automate the sending of requests, but also the fact that the system would no longer block the requests if they reached the server simultaneously (even the slightest delay would trigger the defense mechanism).
“I sent around 1000 seven digit codes including the right one and was able to get the next step to change the password,” the researcher says.
The attack is valid for accounts without two-factor authentication (2FA) enabled, but even the second authentication step could be bypassed, using the same type of attack, Muthiyah says. Specifically, the user is first prompted to provide a 6-digit code that their authenticator app has generated, and then the 7-digit code received via email or phone.
“Putting all together, an attacker has to send all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled),” the researcher says.
The issue was reported to Microsoft last year and a patch was rolled out in November. Microsoft awarded the researcher a $50,000 bug bounty reward as part of its Identity Bounty Program, assessing the vulnerability with a severity rating of important and considering it an “Elevation of Privilege (Involving Multi-factor Authentication Bypass)” — this type of issue has the highest security impact in Microsoft’s Identity Bounty Program.
The only reason the vulnerability was not rated critical severity, the researcher notes, was the complexity of the attack. To process and send large numbers of concurrent requests, an attacker would need a good deal of computing power, along with the ability to spoof thousands of IP addresses.