Microsoft has awarded an independent security researcher $50,000 as part of its bug bounty program for reporting a flaw that allowed a malicious actor to hijack users’ accounts without their knowledge. The vulnerability aims to brute-force the seven-digit security code that’s sent to a user’s email address or mobile number to corroborate his (or her) identity before resetting the password in order to recover access to the account. Microsoft addressed the issue in November 2020, before details of the flaw came to light on Tuesday.
Source: https://thehackernews.com/2021/03/a-50000-bug-couldve-allowed-hackers.html