Microsoft Account Takeover Vulnerability Spotted by Kerala-Based Engineer

Microsoft Account Takeover Vulnerability Spotted by Kerala-Based Engineer
Highlights
  • Sahad NK won bug bounty from Microsoft
  • The vulnerabilities left 400 million users' accounts open to hacking
  • They were reported to Microsoft in June and fixed by November end
Advertisement

A Kerala-based application security engineer has won bug bounty from Microsoft for discovering a series of vulnerabilities that left over 400 million Microsoft users' accounts - from Office 365 to Outlook emails - open to hacking.

Sahad NK, who works as a security researcher with cyber-security portal Safetydetective.com, came across multiple vulnerabilities that, when chained together, allow an attacker to take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link.

"Immediately after finding these vulnerabilities, we contacted Microsoft via their responsible disclosure programme and started working with them," said Safetydetective on Tuesday.

The vulnerabilities were reported to Microsoft in June and fixed by November end.

"While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store," said Sahad.

Sahad discovered that a Microsoft subdomain, "success.office.com", had not been properly configured. He also found bugs in Microsoft Office, Store, and Sway products.

A string of bugs when chained together created the perfect attack to gain access to someone's Microsoft account - simply by tricking a user into clicking a link.

"Anyone's Office account, even enterprise and corporate accounts, including their email, documents and other files, could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user," said TechCrunch.

Sahad, with the help of fellow security researcher Paulos Yibelo, reported the bug to Microsoft, which fixed the vulnerability and gave an unspecified amount as bug bounty to Sahad.

Several tech companies offer bug bounty incentives. Sahad also received bug bounty from Facebook last year for discovering a bug in the social networking platform.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Sahad NK, Microsoft
Google CEO Sundar Pichai Emerges 'Unscathed' From US Congress Hearing
Twitter CEO Jack Dorsey Responds to Critics of Myanmar Tweets, Says He's 'Aware of Atrocities'
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News

Advertisement

Follow Us
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »