Sunday, April 11, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Microsoft account hijack vulnerability earns bug bounty hunter $50,000

March 3, 2021
in Internet Security
Microsoft account hijack vulnerability earns bug bounty hunter $50,000
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Microsoft has awarded a bug bounty hunter $50,000 for disclosing a vulnerability leading to account hijacking. 

In a blog post on Tuesday, researcher Laxman Muthiyah said the security flaw could “have allowed anyone to take over any Microsoft account without consent [or] permission.” 

You might also like

Washington State educational organizations targeted in cryptojacking spree

Critical Zoom vulnerability triggers remote code execution without user input

Nation-state cyber attacks targeting businesses are on the rise

However, as noted in a discussion concerning the report, this may only apply to consumer accounts.

Muthiyah previously found an Instagram rate limiting bug that could lead to account takeover and applied the same tests to Microsoft’s account protections. 

In order to reset a password for a Microsoft account, the company requires an email address or phone number to be submitted through a “Forgotten Password” page. A seven-digit security code is then sent as a method of verification and needs to be provided in order to create a new password. 

Utilizing a brute-force attack to obtain the seven-digit code would lead to password resets without the account owner’s permission. However, to stop these attacks in their tracks, rate limits, encryption, and checks are imposed. 

After examining Microsoft’s defenses, Muthiyah was able to “work out” the company’s encryption and “automate the entire process from encrypting the code to sending multiple concurrent requests.”

An experiment involved 1000 code attempts being sent but only 122 were processed — whereas the others resulted in an error and further requests from the test account were blocked. 

By sending simultaneous requests, however, the bug bounty hunter was able to circumvent both encryption and the blocking mechanism — as long as there was no delay in requests, as even a few “milliseconds” was enough for requests to be detected and blacklisted, according to the researcher.

Muthiyah was able to tweak his attack by way of parallel processing, which sends all requests at the same time without any delay, and successfully obtain the correct code. 

However, in real-world scenarios, this attack vector is not a simple one. To bypass one seven-digit code would take heavy computing power, and if combined with the need to also break an accompanying 2FA code — when this feature is enabled on a target Microsoft account — this could require millions of requests in total. 

Muthiyah reported his findings and sent Microsoft a Proof-of-Concept (PoC) video as evidence. The bug bounty hunter said that the tech giant was “quick in acknowledging the issue” and a patch was issued in November 2020. 

The vulnerability was assigned a severity rating of “important” by Microsoft — due to the complexity of triggering exploits through the bug — and was described as an “elevation of privilege (including multi-factor authentication bypass),” according to an email screenshot shared by Muthiyah. 

The bug bounty award of $50,000 was issued on February 9 via the HackerOne bug bounty platform, a partner for distributing rewards. Microsoft offers between $1,500 and $100,000 for valid bug reports. 

“I would like to thank Dan, Jarek, and the entire MSRC Team for patiently listening to all my comments, providing updates, and patching the issue,” Muthiyah commented.

The Microsoft Security Response Center thanked the researcher for his findings. 

In related Microsoft news, the Redmond giant has recently issued emergency patches to address four zero-day vulnerabilities impacting Exchange Server. 

ZDNet has reached out to Microsoft for further comment and will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0



Credit: Zdnet

Previous Post

New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

Next Post

The TensorFlow Certification: get official recognition, but it’s hard! | by Keenan Moukarzel | Feb, 2021

Related Posts

Washington State educational organizations targeted in cryptojacking spree
Internet Security

Washington State educational organizations targeted in cryptojacking spree

April 10, 2021
Critical Zoom vulnerability triggers remote code execution without user input
Internet Security

Critical Zoom vulnerability triggers remote code execution without user input

April 10, 2021
Nation-state cyber attacks targeting businesses are on the rise
Internet Security

Nation-state cyber attacks targeting businesses are on the rise

April 10, 2021
These are the terrible passwords that people are still using. Here’s how to do better
Internet Security

These are the terrible passwords that people are still using. Here’s how to do better

April 9, 2021
Why do phishing attacks work? Blame the humans, not the technology
Internet Security

Why do phishing attacks work? Blame the humans, not the technology

April 9, 2021
Next Post
The TensorFlow Certification: get official recognition, but it’s hard! | by Keenan Moukarzel | Feb, 2021

The TensorFlow Certification: get official recognition, but it’s hard! | by Keenan Moukarzel | Feb, 2021

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

27 million galaxy morphologies quantified and cataloged with the help of machine learning
Machine Learning

27 million galaxy morphologies quantified and cataloged with the help of machine learning

April 11, 2021
Machine learning and big data needed to learn the language of cancer and Alzheimer’s
Machine Learning

Machine learning and big data needed to learn the language of cancer and Alzheimer’s

April 11, 2021
Job Scope For MSBI In 2021
Data Science

Job Scope For MSBI In 2021

April 11, 2021
Basic laws of physics spruce up machine learning
Machine Learning

New machine learning method accurately predicts battery state of health

April 11, 2021
Can a Machine Learning Model Predict T2D?
Machine Learning

Can a Machine Learning Model Predict T2D?

April 11, 2021
Leveraging SAP’s Enterprise Data Management tools to enable ML/AI success
Data Science

Leveraging SAP’s Enterprise Data Management tools to enable ML/AI success

April 11, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • 27 million galaxy morphologies quantified and cataloged with the help of machine learning April 11, 2021
  • Machine learning and big data needed to learn the language of cancer and Alzheimer’s April 11, 2021
  • Job Scope For MSBI In 2021 April 11, 2021
  • New machine learning method accurately predicts battery state of health April 11, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates