Microsoft paid independent security researcher Laxman Muthiyah $ 50,000 for a vulnerability that could be used to hack user accounts without their knowledge.
The vulnerability allowed using brute force to pick up a seven-digit security code sent to the user by email or phone to confirm his identity during the password reset process. In other words, taking control of the victim's account is the result of privilege escalation by bypassing the authentication mechanisms on the endpoint used to verify the codes sent during the account recovery process.
Microsoft fixed the problem in November last year, but the general public only became aware of it this week. Although there are encryption barriers and rate-limiting checks designed to prevent an attacker from automatically sending all 10 million code combinations automatically, Muthiyahu ultimately managed to crack the encryption function used to mask the security code and send many simultaneous requests.
As the test showed, out of 1,000 codes sent by the researcher, only 122 passed, and the rest were blocked with the error message 1211. Muthiyah realized that his IP address was blacklisted, although the requests he sent did not reach the server at the same time. Several milliseconds of delay between requests allowed the server to detect and block the attack.
After this discovery, the researcher was able to bypass the speed limit and proceed to the next step of changing the password, which allowed him to hijack the account.
While the attack only works in cases where the account is not protected by two-factor authentication, it can be extended to overcome the two layers of protection and ultimately change the victim's password. However, in practice, such an attack is practically impracticable, since it requires huge computational resources.
Earlier also Muthiyah have found such account takeover bugs on Facebook and Instagram for which he was awarded by Facebook.