Microsoft has just rewarded an Indian researcher $50,000 ( ₹36,36,875 approx) under the company’s bug bounty program. Laxman Muthiyah was awarded for spotting a vulnerability that was making people’s Microsoft accounts susceptible to getting hijacked.
As Muthiyah explained - the vulnerability could “have allowed anyone to take over any Microsoft account without consent (or) permission.”
This is not the first vulnerability Muthiyah has discovered though. He had earlier found an Instagram rate limiting bug that could also be used to hijack someone’s account. Following this, he checked for the same vulnerability on the Microsoft account. Once he found the bug here too, he wrote to Microsoft immediately.
Popular Mobile Phones
Muthiyah said that Microsoft was quick to acknowledge the issue once he reported it.
“The issue was patched in November 2020 and my case was assigned to different security impact than the one expected. I asked them to reconsider the security impact explaining my attack. After a few back and forth emails, my case was assigned to Elevation of Privilege (Involving Multi-factor Authentication Bypass). Due to the complexity of the attack, bug severity was assigned as important instead of critical,” Muthiyah wrote in a blog post.
This $50,000 award money has been issued through Microsoft’s HackerOne bug bounty program. Microsoft offers anything between $1,500 to $100,000 to people reporting bugs and the reward money is based on how fatal these bugs are.
Most big tech companies have a bug bounty program in place through which they award people for spotting bugs and vulnerabilities.