KHALED Mohamed, a 23-year-old security engineer and founder of SecBound, is the bug bounty hunter who identified a flaw in Microsoft Authenticator for iOS and Android, tracked as CVE-2026-26123. He reports that the vulnerability could allow a malicious app on a device to hijack a user’s sign‑in codes if the device’s scanner is used to read a sign‑in QR code, potentially enabling full account takeovers and bypassing even two‑factor authentication in some cases.
Mohamed’s disclosure followed responsible reporting through the Coordinated Vulnerability Disclosure process, and Microsoft issued a patch as part of the 10 March 2026 security update. He has been listed in the halls of fame of several major companies for his bug‑hunting work, and his experience underscores the ongoing value of responsible disclosure in improving mobile security. The interview emphasises continual testing, thinking like an attacker, and reporting vulnerabilities promptly to keep the ecosystem safer.