BTech Computer Engineering final year student at LPU, Vansh Devgan has been applauded by ‘Microsoft’ with a bounty reward of USD 20,000 (Nearly Rs 15 Lakh) for his significant security search to ultimately favour the techno-giant company. Vansh, along with his team member, has enabled Microsoft to correct crucial security flaws in its ‘Edge’ internet browser. These flaws were duly notified to Microsoft by this two-man team of cyber security researchers, led by LPU student-Vansh.LPU Chancellor Mr Ashok Mittal congratulated the creative, enterprising and industrious student, and invoked all others to keep utilizing the creative skills learnt through their respective departments. Thanking Vansh and his team-member, Microsoft has mentioned in a message: “Based on the assessment from our engineering team, we have determined that your case 65333 is eligible for a USD 20,000 bounty award under the ‘Edge’ on Chromium Bounty Program.”Illustrative, ‘bounty’ is a payment or reward often offered by a group as an incentive for the accomplishment of a task by someone not associated with the group. On this line, the ‘Microsoft Edge Bounty Program’ welcomes?individuals from across the globe to seek out and submit vulnerabilities unique to Microsoft Edge based on Chromium. Qualified submissions, as those of LPU’s Vansh and his team, are eligible for bounty rewards of USD 1,000 onwards. These bounties are awarded at Microsoft’s discretion based on the severity and impact of the vulnerability and quality of the submission. Thus, Microsoft paid out the highest reward of USD 20,000 to Vansh.
Technically speaking, the team of two found a “vulnerable code” involving uXSS (Universal Cross Site Scripting) in Microsoft’s Translator. This code comes pre-installed in Microsoft Edge browser. The same is reported under the ‘Edge’ on Chromium Bounty Program. In fact, Vansh is a cyber-security enthusiast, into part-time bug bounty hunting, and also running his innovative business – ‘CyberXplore’, along with his team member Shivam.It is now learnt that “the security vulnerability, tracked as CVE-2021-34506, has been fixed in the latest release of Microsoft Edge Stable Channel (Version 91.0.864.59). The impact of the security flaw was very severe. Anyone who visited a website using Microsoft Edge browser, and hit the language translate button to read the content in their preferred language, could inject an arbitrary code to perform whatever they wanted to.Explaining, Vansh shares: “We created a profile on Facebook with a name in a different language and XSS payload. Then, we sent a friend request to the victim- using Microsoft Edge. As soon as he checked our profile, he got hacked through a popup because of auto translation.” He also claims that they were even able to bypass ‘YouTube’ and the ‘Windows Store Application’ exploiting this vulnerability.Vansh further simplifies: “Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behaviour of the browser is affected and its security features may be bypassed or disabled”.