A saviour for Microsoft users! Sahad NK, a Kerala-based application security engineer discovered a series of vulnerabilities that left over 400 million Microsoft users accounts- from Office 375to Outlook emails-open to hacking.
Sahad works as a security researcher with cyber security portal Safetydetective.com, came across multiple vulnerabilities that when chained together, can easily allow a hacker to take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account when the victim clicks on the link.
“Immediately after finding these vulnerabilities, we contacted Microsoft via their responsible disclosure programme and started working with them,” said Safetydetective on Tuesday.
The vulnerabilities were reported to Microsoft from June to November end.
“While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store,” said Sahad.
Sahad discovered that a Microsoft subdomain, “success.office.com”, had not been properly configured. He also found bug in Microsoft Office, Store and Sway products. This led to a string of bugs which when chained together created the perfect attack to gain access to someone’s Microsoft account — simply by tricking a user into clicking a link.
“Anyone’s Office account, even enterprise and corporate accounts, including their email, documents and other files, could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user,” said TechCrunch.
Sahad, along with the help of his colleague Paulos Yibelo, reported the bug to Microsoft, which fixed the vulnerability and gave an unspecified amount as bug bounty to Sahad.
Several tech companies offer bug bounty incentives. Sahad also received bug bounty from Facebook last year for discovering a bug in the social networking platform.