Kerala security expert spots Microsoft bug which may have affected 400 million accounts

A Kerala-based techie and a research fellow Sahad NK had found a series of vulnerabilities that could lead hackers accessing data of 400 million accounts of Microsoft Outlook and Office 365.

Sahad NK, who works as a security researcher with cybersecurity portal Safetydetective.com, came across multiple vulnerabilities that, when chained together, allow an  attacker to take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link. “Immediately after finding these  vulnerabilities, we contacted Microsoft via their responsible disclosure programme and started working with them,” said Safetydetective on Tuesday. The vulnerabilities were  reported to Microsoft in June and fixed by November end. “While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store,” said Sahad

Microsoft awarded Sahad NK, who is a security researcher at Safetydetective.com and colleague Paulos Yibelo with an undisclosed bounty for the discovery.

The proof of existing vulnerability was only made for Microsoft Outlook and Microsoft Sway but expected that it would have affected other accounts such as Microsoft Store.

The security expert also discovered that the subdomain 'success.office.com' was misconfigured. He also found a bug in Microsoft Office, Store and Sway products

A string of bugs, when chained together just with a click of a link, can give an attacker access to a Microsoft account.

A leading technology blog, TechCrunch, said, "Anyone's Office account, even enterprise and corporate accounts, including their email, documents and other files, could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user".

Sahad had also won a bounty from Facebook for discovering a bug last year.