Security researcher Laxman Muthiyah has found a critical bug in Microsoft identity manager and he has been rewarded $50,000 prize money. Here is his snippet of hack.
After my Instagram account takeover vulnerability, I was searching for similar loopholes in other services. I found Microsoft is also using the similar technique to reset user’s password so I decided to test them for any rate limiting vulnerability.
To reset a Microsoft account’s password, we need to enter our email address or phone number in their forgot password page, after that we will be asked to select the email or mobile number that can be used to receive security code.