To reset your Microsoft account password, the company requires you to provide an email or mobile phone number to send the seven-digit security code. After entering it, the user can set a new password for the account.

Mutya discovered a way to hack accounts through brute force attacks by enumerating the above security code’s possible options. First, the expert studied the password processing system, which limited the number of simultaneous requests and blocked unnecessary ones. He found that when sending 1000 variants, the service checked only 122 of them. The rest of the system reacted with the error message “Error 1211”.

As a result, the researcher developed an algorithm to bypass the limit on the number of requests. As it turned out, sending the security codes simultaneously allows all of them to be processed without further blocking. As a result, he managed to guess the necessary code to reset the password.

Lakshman reported the vulnerability to Microsoft by sending a video to the company. After that, the developers made the appropriate corrections to the system and transferred a reward of $ 50 thousand to the researcher. The expert thanked the Microsoft Security Response Center team for their patience and reward. A more detailed report can be found on The Zero Hack page.