Microsoft’s bug bounty: How this Kerala-based security engineer won an undisclosed amount

Microsoft’s bug bounty: How this Kerala-based security engineer won an undisclosed amount

In a huge achievement, a Kerala-based application security engineer has won bug bounty from global tech-giant Microsoft for discovering a series of vulnerabilities that left over 400 million Microsoft users’ accounts open to hacking. Reportedly, these accounts were from Office 365 to Outlook emails.

Sahad NK, who works as a security researcher with cyber security portal Safetydetective.com, came across multiple vulnerabilities and reported to Microsoft. Sahad, with the help of fellow security researcher Paulos Yibelo, reported the bug to the company in June and were fixed by November end. This led to Microsoft giving an unspecified amount as bug bounty to Sahad.

Not only this, Sahad had also received bug bounty from Facebook last year for discovering a bug in the social networking platform.

Sahad discovered that a Microsoft subdomain, ‘success.office.com’, had not been properly configured and also found a bug in Microsoft Office, Store and Sway products.

The vulnerabilities when chained together, allow an attacker to take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link. When a string of bugs is chained together, it created the perfect attack to gain access to someone’s Microsoft account.

Safetydetective contacted Microsoft Immediately after finding these vulnerabilities via their responsible disclosure programme and started working with them.