Microsoft has awarded the security researcher Laxman Muthiyah $50,000 for reporting a vulnerability that could have allowed anyone to hijack users’ accounts without consent.
According to the expert, the vulnerability only impacts consumer accounts.
The vulnerability is related to the possibility to launch a bruteforce attack to guess the seven-digit security code that is sent via email or SMS as a method of verification in password reset procedure.
“To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that we will be asked to select the email or mobile number that can be used to receive security code.” the expert wrote. “Once we receive the 7 digit security code, we will have to enter it to reset the password. Here, if we can bruteforce all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission.”
The researcher pointed out that rate limits are implemented to limit the number of attempts and protect the accounts.
The analysis of the HTTP POST request sent to validate the code revealed that the code is encrypted before being sent, this means that in order to automate bruteforce attacks it was necessary to break the encryption.
“If you look at the screenshot above, the code 1234567 we entered was nowhere present in the request. It was encrypted and then sent for validation.” continues the post. “I guess they are doing this to prevent automated bruteforce tools from exploiting their system. So, we cannot automate testing multiple codes using tools like Burp Intruder since they won’t do the encryption part.”
To determine the limit rate implemented to protect the accounts, the expert sent 1000 code attempts, but only 122 were processed, the remaining resulted in an error (1211 error code) and any other request was blocked.
By sending simultaneous requests, the expert bypassed the blocking mechanism and the encryption. The expert noticed that the mechanism blacklists the IP address if all the requests sent don’t arrive to the server at the same time
However, the attack is not simple in a real scenario, an attacker has to send the possibilities of security codes, approximately 11 million request attempts, concurrently to change the password of any Microsoft account (including those with 2FA enabled).
This attack would require a lot of computing resources as well as 1000s of IP address to complete the attack successfully.
Muthiyah reported the flaw to Microsoft, which quickly acknowledged the issue and addressed it in November 2020.
The bug bounty award of $50,000 was issued on February 9 via the HackerOne bug bounty platform, a partner for distributing rewards. Microsoft offers between $1,500 and $100,000 for valid bug reports.
“I received the bounty of $50,000 USD on Feb 9th, 2021 through hackerone and got approval to publish this article on March 1st. I would like to thank Dan, Jarek and the entire MSRC Team for patiently listening to all my comments, providing updates and patching the issue. I also like to thank Microsoft for the bounty.” concluded the expert.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Microsoft account hijacking)