An Application Security engineer Sahad NK, based in Kerala, recently detected a bug in Microsoft system that could leak up to 400 million Microsoft accounts data including Office 365 and Outlook account’s data.
Meet Sahad NK, who works as a security researcher for an online cyber-security portal safetydetective.com, found multiple vulnerabilities that could possibly leak data and emails of Microsoft account via a link created by the attacker. If victims clicked on that link, the attacker could have gained access to all of their Microsoft data including Office 365, Outlook email, Microsoft Store and Microsoft Sway account.
“While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store,” said Sahad, the bug-hunter. Sahad had detected that one of the sub-domains of Microsoft, success.office.com was not properly configured. He also discovered bugs in Microsoft Office, Store and Sway products.
According to an online tech-news portal, that bug could have granted the access to corporate accounts, their emails, documents and files to the malicious attacker. But, thankfully, Sahad reported it to Microsoft instead of being a cyber-criminal by accessing information from Microsoft without their consent.
After finding these vulnerabilities, they (safetydetective.com) immediately contacted Microsoft in June, and Microsoft fixed it by November. Sahad reported this bug via one of his fellow security researcher Paulos Yibelo. Together, they reported it to Microsoft, and Microsoft was able to fix that security bug. Microsoft gave an unspecified amount to the bug-hunter as a reward for hunting the bug.
Many tech companies offer incentives for finding bugs in their system. Sahad has received bug bounty incentive from Facebook as well. He discovered a bug in the system of Facebook last year. Later, he was rewarded from Facebook for finding a bug in their social networking website.