Skip to main content

How to make money from google and microsoft


Smart hackers could exploit a loophole that could allow them to steal a significant amount of cash from Google, Microsoft and Instagram using a Premium rate phone number.

Security researcher Arne Swinnen from Belgium has discovered an ingenious way to steal money from big tech companies like Google, Microsoft, and Instagram using their two-factor authentication (2FA) voice-based token distribution systems.

Swinnen argues that any attacker with malicious intent could create fake Google, Microsoft or Instagram accounts, as well as premium phone services, and then link them together.

The attacker could then request 2FA voice-based tokens for all fake accounts using an automated scripts, placing legitimate phone calls to his service to earn him quite a nice profit.

Swinnen created accounts on Google, Microsoft Office 365 and Instagram and then tied them to a premium phone number instead of a regular one.

As a result, whenever one of these three services would call the account's phone number to send the user their account access code, the premium number would register an incoming call and bill the companies.

"They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate non-premium numbers," Swinnen says in his blog.

"This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/... Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number."


Although the Swinnen reported the loophole to all the three companies, he calculated that he could have stolen €432,000 per year from Google, €669,000 per year from Microsoft and €2,066,000 per year from Instagram.

You can learn more technical details about the hack in Swinnen's blog post.

Although no customer data was being put at risk through his hack, Facebook (who owns Instagram) and Microsoft rewarded Swinnen with $2000 and $500 via their bug bounty programs, while Google mentioned his name in the company's Hall of Fame.

Comments

Popular posts from this blog

So what exactly is cryptography

Nowadays Internet is an important part of Life.  We are using the Internet for sending confidential data also like password,for storing army secrets. But the Internet is insecure medium.we all use internet at a daily basis.  Do you know why? Insecure Medium: Imagine you are sending a data.  In internet world, data are separated as packets and send to the destination.  Do you think the data directly reaching the destination?   If  you think so,you are wrong.  The packets are going through different routers.  Finally, the data is sent to the user.  In this gap, Intruders(i mean attackers) takes advantages. so who are they .the are  I.they  can see what you are sending.  Because your data are simple and easy to readable by anyone. How to secure the data? We can not stop the intruders and their activities.  But we can make our data as Unreadable for Intruders.  For this purpose, the Cryptography is introduce...

Lunix malware havoc

The Krebs DDoS attacks have proven that the IoT landscape is a fertile ground that can breed huge botnets capable of launching massive DDoS assaults. As such, it should be no surprise that malware authors are now focusing their efforts on this sector and putting out new threats in the hopes of building the next Mirai botnet. One of the latest additions to the IoT malware market is a trojan codenamed Linux/NyaDrop, recently reverse engineered by MalwareMustDie, the same researcher who discovered the Mirai malware. MalwareMustDie points out in his research that this binary appeared in May, but was somewhat simplistic and not that common. Things changed after the Krebs DDoS attacks, and a new sample has appeared on the market, with the malware’s author most likely drawn back to the IoT landscape by Mirai’s success. Just like most IoT malware nowadays, NyaDrop’s author relies on brute-forcing Internet-exposed IoT devices using their default credentials. In a conversati...

Remove virus from android

Desktops aren’t the only gadgets that can be affected by a virus. Android devices have a malware problem and it’s growing every day. If you do get a virus, you could perform a factory reset to get rid of it, but that means you’d lose all your data — those photos you shot, the saved games, the text messages, and everything else. Obviously, you want a factory reset to be your last option. So what can you do to remove a virus from Android without a factory reset? Is It Really a Virus? If your phone isn’t functioning the way it should be, there’s a chance you have some malware on it. One wrong tap somewhere and a malicious file might have been downloaded on your phone, which is leeching battery life, Internet resources, or your personal data. But it could be something else. Suppose your Android refuses to boot or crashes every time it starts up. Or maybe you can’t seem to download apps from the Play Store. These are not necessarily caused...