As per Muthiyah, the vulnerability could “have allowed anyone to take over any Microsoft account without consent [or] permission.”
He had earlier found an Instagram rate limiting bug that could help hijack someone’s account. He then checked for the same vulnerability on Microsoft’s account.
Microsoft issued the award of $50,000 through the HackerOne bug bounty platform. The Redmond-based tech giant offers in between $1,500 and $100,000 for reporting bugs.
As per Muthiah, Microsoft was “quick in acknowledging the issue” once he reported it. He also says in a blog post that “The issue was patched in November 2020 and my case was assigned to different security impact than the one expected. I asked them to reconsider the security impact explaining my attack. After a few back and forth emails, my case was assigned to Elevation of Privilege (Involving Multi-factor Authentication Bypass). Due to the complexity of the attack, bug severity was assigned as important instead of critical.”
Microsoft Account Takeover! 😊😇 Thank you very much @msftsecresponse for the bounty! 🙏🙏🙏Write up -… https://t.co/rJAaqZuFIQ
— Laxman Muthiyah (@LaxmanMuthiyah) 1614697686000
Lastly, Muthiah adds in the blog post: “I would like to thank Dan, Jarek and the entire MSRC Team for patiently listening to all my comments, providing updates and patching the issue. I also like to thank Microsoft for the bounty.”