A Security Engineer’s Quest to Find 365 Bugs in Microsoft Office 365

He’s almost there, too, with about 310 bugs found so far.
Image: Getty Images

Security engineer by day, bug hunter by night, Ashar Javed is on a journey to find 365 security bugs in Microsoft Office 365. His current count sits at around 310 and Javed said he has no intentions of stopping. 

Microsoft’s bug bounty program is open to the public and incentivizes catching system faults before they impact the general user with monetary awards. Bugs can range from mildly annoying to gravely compromising, so the earlier they’re caught the better. Javed says he enjoys being a part of this program, launched in 2013, as it provides actionable steps to improve the lives of consumers.


It’s a fun hobby for him, he said in an interview, and one with positive repercussions for everyone using the software. 

“For me, it’s a win-win situation, if I find a bug it’s helping my company and everyone using the product,” said Javed. “This is something I have in my mind all the time. Finding bugs in Office 365 is a challenging task and there are reasons behind that. I took this challenge.”

Javed works for Hyundai and performs similar tasks for the automotive company as a pentester. He also sits at fourth place on Microsoft’s 2020 Most Valuable Researcher List, which ranks community security researchers, with a note that says he is a "high volume" bug hunter. Web security, he says, is a passion of his.

“My wife, my family, everyone has an objection that I’m sitting in front of my laptop a lot of the time,” Javed said. “When I have time, I go bug hunting. It’s all about the investment of your time.” 

A disturbing bug Javed said he found was the ability to take over and compromise every website created with Microsoft’s Power Portals—equating to about 1,700 websites, according to Javed. An Insecure Direct Object Reference (IDOR) attack laid the groundwork for Javed to access the web app, he said. 

Javed found another interesting bug in Microsoft Teams and Skype for Business. The backend API of these programs was leaking information, he said, and one part of this info dump is a person’s at-keyboard status.

“I was able to find any user from Office 365 sitting in different organization’s status. I could tell if they’re offline, online, out sick, or set to 'be right back,' or 'do not disturb,'” said Javed. 

Javed provides advice to other community pentesters (security researchers who prod at systems to find vulnerabilities) with what he calls “The Three P’s: Pain, Patience, and Peso,” alluding to the rewards bug testers can receive if they take the hours, and in some cases months, to compile a list of security concerns.

"Security researchers play an integral role in the ecosystem by discovering vulnerabilities missed in the software development process,” a Microsoft spokesperson said in a statement to Motherboard. “We partner closely with security researchers to better protect billions of customers worldwide. Bounty programs are one part of this partnership, designed to encourage and reward vulnerability research focused on the highest impact to customer security."

Bug bounty programs are on the rise, with big players like Microsoft, Apple, and even the Department of Homeland Security implementing these security measures. Recreational bug hunting, once a hobby, is now a legitimate side hustle.