New Delhi: A Kerala-based application security engineer found a series of bugs in Microsoft products which left over 400 million user accounts vulnerable to hacking, said reports on Thursday. For the effort, the man has won been rewarded by the IT giant. (Also read: Fed up With Corruption, Techie to Contest Telangana Elections)Also Read - Realme 9 Pro To iQoo Z3: Top 5 Camera Smartphones That You Can Buy Under Rs.20,000 - Watch Full List
A security researcher with a cybersecurity portal, Sahad NK came across multiple vulnerabilities that allowed a hacker to take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account as soon as the victim clicked on a link. Also Read - Google-Led Internet Giants Behind 'Biggest Data Breach Ever Recorded': Report
“Immediately after finding these vulnerabilities, we contacted Microsoft via their responsible disclosure programme and started working with them,” said the portal. Also Read - Review Video: Gizmore Gizfit 910 Pro Smartwatch Launched With Bluetooth calling functionality, Worth Buying Or Not? Watch
The vulnerabilities were reported to Microsoft in June and fixed by November-end. “While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store,” said Sahad.
Sahad discovered that a Microsoft subdomain, “success.office.com”, had not been properly configured. He also found a bug in Microsoft Office, Store and Sway products. A string of bugs created the perfect attack to access someone’s Microsoft account by tricking a user into clicking a link.
“Anyone’s Office account, even enterprise and corporate accounts, including their email, documents and other files, could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user,” said TechCrunch.
Sahad, with the help of fellow security researcher Paulos Yibelo, reported the bug to Microsoft, which fixed the vulnerability and gave an unspecified amount as bug bounty to Sahad. Several tech companies offer bug bounty incentives. Sahad also received bug bounty from Facebook last year for discovering a bug in the social networking platform.