Connect with us

Hi, what are you looking for?



Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability

A security researcher says Microsoft has awarded him a $50,000 bounty reward for reporting a vulnerability that could have potentially allowed for the takeover of any Microsoft account.

A security researcher says Microsoft has awarded him a $50,000 bounty reward for reporting a vulnerability that could have potentially allowed for the takeover of any Microsoft account.

The issue, India-based independent security researcher Laxman Muthiyah reveals, could have been abused to reset the password of any account on Microsoft’s online services, but wasn’t that easy to exploit.

The attack, the researcher explains, targets the password recovery process that Microsoft has in place, which typically requires the user to enter their email or phone number to receive a security code, and then enter that code.

Typically, a 7-digit security code is received, meaning that the user is provided with one of 10 million possible codes.

An attacker who wants to gain access to the targeted user’s account would need to correctly guess the code or be able to try as many of these codes as possible, until they enter the correct one.

Microsoft has a series of mechanisms in place to prevent attacks, including limiting the number of attempts to prevent automated brute forcing and blacklisting an IP address if multiple consecutive attempts are made from it.

What Muthiyah discovered, however, was not only a technique to automate the sending of requests, but also the fact that the system would no longer block the requests if they reached the server simultaneously (even the slightest delay would trigger the defense mechanism).

Advertisement. Scroll to continue reading.

“I sent around 1000 seven digit codes including the right one and was able to get the next step to change the password,” the researcher says.

The attack is valid for accounts without two-factor authentication (2FA) enabled, but even the second authentication step could be bypassed, using the same type of attack, Muthiyah says. Specifically, the user is first prompted to provide a 6-digit code that their authenticator app has generated, and then the 7-digit code received via email or phone.

“Putting all together, an attacker has to send all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled),” the researcher says.

The issue was reported to Microsoft last year and a patch was rolled out in November. Microsoft awarded the researcher a $50,000 bug bounty reward as part of its Identity Bounty Program, assessing the vulnerability with a severity rating of important and considering it an “Elevation of Privilege (Involving Multi-factor Authentication Bypass)” — this type of issue has the highest security impact in Microsoft’s Identity Bounty Program.

The only reason the vulnerability was not rated critical severity, the researcher notes, was the complexity of the attack. To process and send large numbers of concurrent requests, an attacker would need a good deal of computing power, along with the ability to spoof thousands of IP addresses.

Related: Instagram Account Takeover Vulnerability Earns Hacker $30,000

Related: Microsoft Paid Out Over $374,000 for Azure Sphere Vulnerabilities

Related: Microsoft Paid Out Nearly $14 Million via Bug Bounty Programs in Past Year

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.