Why Microsoft has awarded $50,000 to an Indian researcher

1 month ago 38
google news Flipboard

An Indian researcher Laxman Muthiyah has become the recipient of a $50,000 award by Microsoft under the compan...Read More

An Indian researcher Laxman

Muthiyah

has become the recipient of a $50,000 award by

Microsoft

under the company’s

bug bounty

program. Microsoft awarded the Indian researcher for spotting a vulnerability which could lead to someone’s Microsoft account getting hijacked.
As per Muthiyah, the vulnerability could "have allowed anyone to take over any Microsoft account without consent [or] permission."
He had earlier found an

Instagram

rate limiting bug that could help hijack someone’s account. He then checked for the same vulnerability on Microsoft's account.
Microsoft issued the award of $50,000 through the

HackerOne

bug bounty platform. The Redmond-based tech giant offers in between $1,500 and $100,000 for reporting bugs.
As per Muthiah, Microsoft was “quick in acknowledging the issue” once he reported it. He also says in a blog post that “The issue was patched in November 2020 and my case was assigned to different security impact than the one expected. I asked them to reconsider the security impact explaining my attack. After a few back and forth emails, my case was assigned to Elevation of Privilege (Involving Multi-factor Authentication Bypass). Due to the complexity of the attack, bug severity was assigned as important instead of critical.”

Microsoft Account Takeover! 😊😇 Thank you very much @msftsecresponse for the bounty! 🙏🙏🙏Write up -… https://t.co/rJAaqZuFIQ

— Laxman Muthiyah (@LaxmanMuthiyah) 1614697686000

Lastly, Muthiah adds in the blog post: “I would like to thank Dan, Jarek and the entire MSRC Team for patiently listening to all my comments, providing updates and patching the issue. I also like to thank Microsoft for the bounty.”

  1. Homepage
  2. Technology