A researcher discovered a flaw that could have turned into a disaster for Microsoft and other tech giants.
Gaming two-factor authentication systems with premium rate phone numbers can be very profitable - or it was until the flaws got reported.
Belgian security researcher Arne Swinnen noticed that the authentication systems used by Facebook-owned Instagram, Google and Microsoft allow access tokens to be received by a voice call as well as a text message. By linking accounts to a premium-rate phone number he controlled and could pocket money from, he was able to scam the three companies out of cash - in some cases potentially thousands of dollars a day.
"Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number," he said. "The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved."
In the Microsoft case, he set up an Office 365 trial account and linked it back to a premium-rate number he owned. Redmond's servers will block authentication calls to a number after seven failed attempts to call it, but there were ways around that.
Swinnen found that by preceding the high-cost calling number with up to 18 zeros fooled the Office authentication system into making many more calls. Adding in a country code had the same effect, as did adding up to four digits at the end of the phone number string. All these techniques tricked Office into thinking it was calling new numbers rather than the same one over and over.