Asia

Young Indian Engineer Bags Microsoft Bug Bounty

Sahad N.K. has received an undisclosed huge bounty from Microsoft for fixing a string of bugs in the company’s software and for reporting a deficiency that could have been enough for a hacker to hack into anybody’s Microsoft account.
Sputnik

Safetydetective.com, the portal for which Sahad N.K. works, told Sputnik that they contacted Microsoft as soon as the vulnerabilities were detected in June this year. The problem was fixed by Microsoft by the end of November, after which it offered an undisclosed reward to the young engineer, who belongs to the southern Indian state of Kerala.

READ MORE: Google to Speed up Shutdown of Google+ After Data Breach

"Immediately after finding these vulnerabilities, we contacted Microsoft via their responsible disclosure program and started working with them. The vulnerabilities were reported to Microsoft in June and fixed at the end of November 2018. While the vulnerability proof concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store", Safetydetective.com said in response to a query from Sputnik.

Fast Paced Indian Economy Facing a Cyber Security Nightmare : Study
Sahad works as a security researcher with the cybersecurity portal Safetydetective.com. The portal shared its response with Sputnik on the development, revealing that they had contracted Sahad for the particular assignment, but refused to disclose the bounty amount.

"During our first security investigation for critical vulnerabilities affecting Microsoft, we came across multiple vulnerabilities that, when chained together, allowed an attacker to take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link", Safetydetective.com added.   

READ MORE: Saudi Dissident: Israeli Spyware Firm Hacked My Phone Before Khashoggi Killing

Sahad, with the help of fellow security researcher Paulos Yibelo, reported the bug to Microsoft, which fixed the vulnerability and gave an unspecified amount as bug bounty to Sahad, according to the news agency IANS. Sahad is the same person who received bug bounty from Facebook last year for discovering a bug in the social networking platform.

"Anyone's Office account, even enterprise and corporate accounts, including their email, documents, and other files, could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user", said another cyber analysis portal, TechCrunch, in its response to the development.

The views and opinions expressed by the speakers do not necessarily reflect those of Sputnik.

Discuss