The researcher says he could have abused the bug to hijack Microsoft accounts.