Muthiyah noted this would be a lot of work for hackers to do, as he states bad actors would need to send "all the possibilities of 6 and 7 digit security codes that would be around 11 million request attempts and it has to be sent concurrently to change the password of any Microsoft account (including those with 2FA enabled)."Ī lot of work, but there was a nice payout. He was then able to change the password of the Microsoft account, effectively hijacking the account. These needed to be sent exactly at the same time, not even a few milliseconds apart, otherwise the IP address he used would be blacklisted. Eventually, he discovered that sending the codes simultaneously let him send a very large number of them at once. The researcher sent out 1,000 codes, with only 122 registering before the rest were invalid. However, Microsoft has a rate limit, meaning hackers only have a limited amount of attempts to get the correct security code before being locked out indefinitely. "Here, if we can brute-force all the combination of 7 digit code (that will be 10^7 = 10 million codes), we will be able to reset any user’s password without permission," Muthiyah said. Users are then asked to use either their email or mobile number on their laptop or smartphone to receive a security code in order to update their password, which consists of a 7 digit security code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |