This Kerala Techie Saved 400 Million Microsoft Emails From Hacking – Not All Heroes Wear Cape!

If this Kerala techie hasn’t noticed a severe vulnerability, 400 million Microsoft accounts could have been compromised, even hacked.

Sahad, who had earlier received a bug bountry from Facebook saved Microsoft all the hassles, and once again earned a bug bounty.

This is what happened.

The Bug Which Could Have Opened A Portal Of Hack

Sahad NK, an application security engineer who hails from Kerala, discovered that a string of bugs when chained together created the perfect attack to gain access to someone’s Microsoft account, simply by tricking a user into clicking a link.

He pointed this out to Microsoft who awarded him with a bug bounty in return.

In this day and age, the work of employees from each domain depends on the vast world of the internet and computers. Everyone from an 8-year-old kid to a 75 year old senior has a Microsoft account and stores countless valuable data in the various software products Microsoft offers.

But, there is a very small number of people who know that any software needs to be protected from bugs that may hamper its smooth functioning, and can cause malfunctions or even data leaks: which is why software companies offer monetary awards as bug bounty to people who report bugs.

Sahad’s Story

Sahad NK, originally from Kerala, works as a security researcher at a cybersecurity portal ‘Safetydetective.com’. Sahad discovered that a Microsoft subdomain ‘success.office.com’ had not been properly configured. He found bugs in Microsoft Office, Store and Sway products. He found that multiple vulnerabilities that, when chained together, allow an attacker to take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link.

He said, ‘While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store’.

TechCrunch, the American company which publishes any and every news from the technology industry, explained the threat in simple terms saying, ‘Anyone’s Office account, even enterprise and corporate accounts, including their email, documents, and other files, could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user.’

Here’s what Microsoft Did

On discovering these vulnerabilities, Sahad reported the bug to Microsoft via their responsible disclosure programme in June. By November end, the bug was fixed successfully. Sahad, along with a fellow researcher Paulos Yibelo, reported the bug to Microsoft who, after fixing the bug, awarded them with an unspecified amount as bug bounty.

Microsoft Security Response Center mitigated the case in November 2018 as confirmed by a Microsoft spokesperson.

Had this bug not been detected, 400 million Microsoft users’ accounts would have been left open to hacking which includes software from Office 365 to Outlook emails.