Today it is common to hear stories of hackers exploiting all kinds of vulnerabilities in software systems. Theft and hijacking of data, unauthorized transactions and a wide variety of illicit activities are known daily on the internet – and many others are kept “secret”. However, what is not common is that the architects of these acts are the employees of the affected companies. The story that we will tell you today, which involves Microsoft, is one of the few exceptions.
In Bloomberg they echo a situation that caused headaches to those of Redmond during 2018. The story focuses on Volodymyr Kvashuk, a former Microsoft employee assigned to a team of testers. His day job was to look for flaws in the company’s e-commerce infrastructure., specifically in payment systems. In case of finding any vulnerability, he had to report it to his superiors, obviously.
These types of tasks are very common in the development of any software and, until now, there is nothing abnormal. The matter becomes interesting because, in 2017, Kvashuk found a bug that would change his life forever. The bug allowed the generation of Xbox gift card codes for free; this after making a fake transaction in the Microsoft Store. Even more incredible, the 25-digit codes were fully functional and could be used to purchase digital products or services. If you are an Xbox gamer you know what we are talking about.
The normal thing, of course, would be for the employee to report their finding to Microsoft for a quick solution. Did you imagine what happened next? Yes, Kvashuk decided to keep the bug a secret to fill your pockets. The now former employee generated thousands of codes and sold them in an online store with attractive discounts of up to 55%. The sale was a success. He even created an application to automate the process; With just a few clicks he could indicate how many codes he needed, their value (30, 75 or 100) and the currency (dollars, euros, among others). Those in Redmond estimate that the treacherous robbery equals 10 million dollars, approximately.
Microsoft’s suspicions and the employee’s downfall
However, the anecdote takes an unexpected turn when some codes began to fail. Those affected did not approach Kvashuk to find a solution, but Microsoft’s support service. However, and as explained by Bloomberg, in February 2018 the company was already aware of what was really happening. It turns out that a Microsoft fraud investigation team detected unusual activity in their metrics: purchases of digital products with gift card codes increased exponentially.
At first, Microsoft suspected that it was an external hacker doing his thing. However, shortly after, they discovered that the architect was one of their employees from the clues he left on the testing tools. Kvashuk was left with no way out and was fired immediately. Fortunately, Microsoft did not press charges and even allowed him to live in a house acquired with the millions of stolen dollars.
Did you think this story would end with a happy ending for a criminal? Well, it’s not like that. Although Microsoft preferred not to get involved in a direct legal dispute, they did report the event to authorities. They were not going to allow an illegal act to go unpunished. Kvashuk was arrested and sentenced to 9 years in prison – which to date is complying – and, upon leaving prison in 2027, could be deported to Ukraine, his country of origin.
“Federal agents found a list of Kvashuk with future investments, written in Ukrainian. The list revealed that he was planning to buy, among other extravagances, a $ 4 million house [de dólares] on Maui, a million-dollar home in “the mountains” as well as “a yacht.” The title of the list was: ‘How will I manage my next 10 million’ “.
Moral? If you find a bug in an e-commerce system – or any other type – better report it.