Researcher Was Able to Take Over all Microsoft Accounts Without 2FA

Security researcher Laxman Muthiyah was able to take over any Microsoft account that did not have two-factor authentication (2FA) enabled, he said in an analysis. The researcher warned Microsoft at the end of last year, after which the problem was fixed. For his bug report, Muthiyah received a $ 50,000 reward from the tech company.

Microsoft account owners who have forgotten their password can perform a password reset. Users must provide their email address or phone number to which Microsoft sends a seven-digit security code. A new password can be entered with this code.

Since the code consists of seven digits, there are a total of ten million possible combinations. Microsoft applies rate limiting to prevent brute force attacks. Muthiyah discovered that this protection can be circumvented if all codes arrive at the server at exactly the same time. As a demonstration, he sent a thousand seven-digit codes that allowed him to reset the test account password.

The attack does not work when a user has enabled two-factor authentication. For a password reset, users who have set this security measure must first enter a six-digit code generated via the authenticator app before entering the seven-digit code. Muthiyah reported the problem to Microsoft last November, after which a patch was quickly rolled out. Microsoft rewarded the researcher with $ 50,000 for his bug report. Details of the vulnerability have now been disclosed.

Previous Post Next Post