bug-bounty267
google223
facebook191
microsoft178
apple129
exploit104
rce99
xss88
writeup55
csrf52
defi48
smart-contract47
ethereum44
open-source44
access-control42
account-takeover39
sqli39
aws37
docker36
ssrf36
ai-agents36
web335
malware35
bragging-post33
smart-contract-vulnerability33
cloudflare33
cve32
react32
dos31
idor28
subdomain-takeover27
wordpress26
browser26
privilege-escalation26
supply-chain26
solidity25
cors24
oauth23
node22
authentication-bypass21
auth-bypass21
cloud21
race-condition21
denial-of-service21
automation20
tool19
lfi19
pentest19
vulnerability-disclosure19
machine-learning18
0
6/10
Security researcher Laxman Muthiyah discovered a critical account takeover vulnerability in Microsoft's password reset mechanism that allowed brute-forcing 7-digit security codes by sending concurrent requests to bypass rate limiting and IP-based blacklisting. The vulnerability affected both standard accounts and those with 2FA enabled, requiring approximately 11 million concurrent requests to compromise any Microsoft account.
account-takeover
brute-force
rate-limiting-bypass
concurrent-requests
password-reset
encryption-bypass
multi-factor-authentication-bypass
microsoft-azure
bug-bounty
account-recovery
Laxman Muthiyah
Microsoft
MSRC
HackerOne
Instagram
iCloud