A 50,000 USD reward program recently made a noise because it was awarded to an independent researcher who submitted a vulnerability found on Microsoft and Instagram accounts to bypass the mentioned platform’s account recovery program service. Despite its high-level security to avoid such intrusion on their user’s account, the researcher was able to crack the fortress and successfully show the account takeover’s successful result.
Independent cybersecurity researcher and ethical hacker plays a significant role in many technological companies. Their contribution to determine flaws in any developed app or program is instrumental in improving a company’s security and services. Their effort could save businesses and protect billions of people who rely mostly on the interconnected services they offer. Thus, many companies provide partnerships and recognition schemes to concerned individuals through Bounty Programs to prevent the rampant malicious actors‘ possible intrusion, especially in today.
According to the submitted report, the bug was introduced in November of 2020 by the researcher. Microsoft and Instagram only confirmed and announced this vulnerability recently after patching on the said issue. The flaw was said to be about the recovery code that Microsoft and Instagram sent to the user upon requesting recovery or password change on the account. Though the platform can place an invalid input threshold to counteract a program that can send multiple submissions of codes to guess the combination and IP blocking, the independent researcher can create a detour and successfully exploit the vulnerability to showcase the found weakness. The researcher confirmed that exploiting the vulnerability is a real challenge regarding the running security program. However, with Google and Amazon’s cloud services, the IP blocking and threshold counter will not be a problem for just 150 USD for a combination of million tries. A few dollars investment that the researcher pulled out that rewards him the whopping reward money and recognition.
Most of the technological platforms offer bug bounty programs despite having in-house developers and testers. These bounty hunters are considered ethical hackers who are after the reward money and recognising their work. It is a way for these independent researchers to promote their name in the cyber world and receive incredible offers from pertinent companies.
Finding fault in a prestigious company such as Microsoft shows that everything is not fool-proof, and there is always room for improvement and door for any malicious actors to exploit.
Preventing such intrusion or knowing the opportunity to tighten the security imposed on their programs will ensure the business’s growth, and the people’s trust will not erode.
As businesses prioritize the company’s growth and securing its users, promoting the reward scheme does not connote that the company imposes weak security; instead, it should be taken to collaborate with concerned users to help improve their system that will benefit the whole community. Researchers and companies’ combined efforts should not be neglected, especially on our current technological advancement where most people rely on. Ethical hackers deserve to be rewarded and recognized.
