Select City

Microsoft Awards Rs 36 Lakhs To Indian Security Expert For Pointing Out Bug

- Updated: 5th Mar 2021, 07:38 IST

Microsoft awards Chennai-based security researcher Rs 36 lakhs for pointing out a vulnerability in the company’s online services. The vulnerability can allow anyone to take over any Microsoft account without consent.

Security researcher Laxman Muthiyah was the one to point out the vulnerability. Laxman wrote a blog post on Tuesday regarding the issue in the online services of Microsoft.

Also read: Realme GT 5G To Launch Tommorow: Everything We Know So Far

Vulnerability in Microsoft

According to Laxman, the forgot password page of Microsoft was an easier target for hackers. If a user forgets his or her password, he or she can reset the password by clicking on forgot password. However, the user will have to enter the email address or phone number on the forgot password page.

After entering the email or phone number, the user will get a 7 digit code on his or her email or phone number. If the user will have to put that 7 digit code on the forgot password page of Microsoft, then he or she will be able to reset the password.

Consequently, if a hacker uses a trial and error method then he or she can reset the password of another user without needing permission. The hacker can use a trial and error method to put all the combinations of a 7 digit code. However, Laxman stated that there were some rate limits that will prevent the hacker from making a large number of attempts.

The Report and Award

Laxman noticed this vulnerability and recorded a video. In the video, he was recording all the bypasses and was creating a detailed step to reproduce the vulnerability. After that, he submitted the report to Microsoft.

Also read: Instagram Allows Four Users To Livestream Together

Microsoft was quick to reply and acknowledge the issue. After assessing the report by Laxman, the security team of Microsoft was able to patch the issue. Microsoft rewarded Laxman an amount of 50,000 dollars. This reward was a part of their identity bounty program. In this program, they reward those who identify the vulnerabilities of any online service by Microsoft.