Security researcher Rafay Baloch is the one who identified the vulnerabilities

Sep 24, 2012 07:57 GMT  ·  By

Microsoft addressed cross-site scripting (XSS) and HTML Injection vulnerabilities on its websites after security researcher Rafay Baloch notified the company of their existence.

We have another great example of how a proper acknowledgment program encourages security researchers to practice responsible disclosure, instead of publishing their findings all over the Web.

For his contribution to helping to keep websites secure, the Redmond company listed Rafay on its August 2012 Security Researcher Acknowledgements for Microsoft Online Services page.

In order to demonstrate the XSS flaw and the risks posed by such issues, the expert made a proof-of-concept (POC) video, which he published on YouTube, but only after he was certain that the security holes were addressed.

The expert claims that he identified two additional vulnerabilities – HTTP parameter pollution and DOM-based XSS – but because they’re still being verified by Microsoft, their details haven’t been made public.