Sahad discovered that a Microsoft subdomain, 'success.office.com', had not been properly configured and also found a bug in Microsoft Office, Store and Sway products.
In a huge achievement, a Kerala-based application security engineer has won bug bounty from global tech-giant Microsoft for discovering a series of vulnerabilities that left over 400 million Microsoft users’ accounts open to hacking. Reportedly, these accounts were from Office 365 to Outlook emails.
Sahad NK, who works as a security researcher with cyber security portal Safetydetective.com, came across multiple vulnerabilities and reported to Microsoft. Sahad, with the help of fellow security researcher Paulos Yibelo, reported the bug to the company in June and were fixed by November end. This led to Microsoft giving an unspecified amount as bug bounty to Sahad.
Not only this, Sahad had also received bug bounty from Facebook last year for discovering a bug in the social networking platform.
Sahad discovered that a Microsoft subdomain, ‘success.office.com’, had not been properly configured and also found a bug in Microsoft Office, Store and Sway products.
The vulnerabilities when chained together, allow an attacker to take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link. When a string of bugs is chained together, it created the perfect attack to gain access to someone’s Microsoft account.
Safetydetective contacted Microsoft Immediately after finding these vulnerabilities via their responsible disclosure programme and started working with them.
Sahad told IANS that while the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, he expects it to affect all Microsoft accounts including Microsoft Store.
The severity of the possibility of any breach can be understood by the fact that the vulnerabilities have the potential to access anyone’s Office account, even enterprise and corporate accounts, including their email, documents and malicious attackers could have easily accessed the data which could make it near-impossible to discern from a legitimate user.