Dutch Dirk-jan discovers Microsoft security problem

"I was staring at my screen, and I just thought, This can't be happening. This can't be working..."

At first, it's mostly disbelief when Dirk-jan Mollema realizes the gravity of the error he's just discovered. And then the seriousness sinks in. "I don't want to be able to do this kind of thing at all; I don't want that responsibility."

The flaw Mollema discovered is in the Microsoft Entra ID service. This is a so-called authentication service used to log in to other Microsoft products, including the Azure cloud service and the Microsoft 365 office suite.

Mollema found a new way to log in and perform actions on behalf of other users. "It was actually intended for Microsoft itself, for internal use. But I could use it too."

And that login method contained a crucial flaw: it didn't check whether you really needed access to the system. This way, a hacker could gain access to any company's Microsoft systems.

"You can then see, for example, who works there and what their data is," says Mollema. "And all of that without leaving any traces."

Worse still: a hacker could make themselves an administrator and make all sorts of changes. "Then the other administrators will see that there's a new user, so it's not something that happens secretly," says Mollema. But this way, a hacker could get their hands on all the company's emails and files. "So, all sorts of personal data, too."

In the video below, tech reporter Wouter van Dijke explains the consequences of the error at Microsoft:

When Mollema discovered the error, he immediately reported it to Microsoft. "I think this is the fastest report I've ever written. I knew right away: this has to be fixed as quickly as possible. So I reported it within two hours."

And Microsoft also took the report very seriously. "They fixed the problem in record time. Ultimately, they rolled out a solution worldwide within three days. That's really fast for a company as large as Microsoft."

The severity of the situation is also evident from the warning Microsoft issued, which rates the error out of 10, the maximum score.

Anyone who discovers a security issue and reports it to Microsoft can expect a reward. These so-called bug bounties can reach at least $100,000 (€85,000). Mollema declined to say how much Microsoft paid him. "But they definitely have a bug bounty. " given."

Thanks to Mollema's report, Microsoft was able to quickly patch the vulnerability. It doesn't appear that others have discovered the same issue or even exploited it. Mollema: "Microsoft investigated this, and they say they haven't seen any abuse. I assume that's true. But you can never be completely certain."

Companies using Microsoft services don't have to worry now, says Mollema. "This problem really was Microsoft's fault. As a company, there wasn't anything you could have done about it. Essentially, no action is needed for companies, because Microsoft has fixed this on their end."

The impact of a hack can be significant. Sandra's data was leaked from a medical laboratory, she explains in this video: