If you saw a link to mybrowser.microsoft.com, would you have trusted? Have you downloaded and installed an Edge update from it? What would you say identityhelp.microsoft.com to change your password?
Well, you shouldn’t have, because the pair was one of the subdomains hijacked by vulnerability researchers to prove that Microsoft is lax with its own online security.
In short, the Windows giant has allowed hundreds of subdomains – at least 670 – on its large properties microsoft.com, skype.com, visualstudio.com and windows.com to potentially fall into the hands of criminals who allegedly were able to requisition them for phishing and the distribution of malware.
Caper
It would basically work like this, similar to previous Microsoft Web Joy-riding reports: Tech Goliath had a lot of subdomains, such as dev.social.microsoft.com and web.visualstudio.com, served by systems hosted in its Azure cloud. For example, mybrowser.microsoft.com could have resolved something like webserver9000.azurewebsites.net. During your visit mybrowser.microsoft.com, your browser would have been invited, via DNS, to retrieve a page from webserver9000.azurewebsites.net.
Now, as we said, Microsoft has a lot of these subdomains, and after a while it stops updating some of them and abandons them. Unfortunately, and most importantly, it leaves the DNS records of the subdomains in place, so, for example, mybrowser.microsoft.com would still indicate webserver9000.azurewebsites.net even if the server instance that managed it stopped long ago.
This is where the disbelievers rush. They get an Azure account, run a web server instance and ask for the host name webserver9000, or webserver9000.azurewebsites.net in its complete form. Now when people visit mybrowser.microsoft.com, they are more for criminals webserver9000.azurewebsites.net, which provides victims with downloads that resemble browser updates but are actually ransomware or malware. Or pages that phish their Office 365 username and password. You got the idea.
White list of Azure cloud connections to grease your Office 365 wheels? About that…
READ MORE
This security flaw, and nearly 700 examples of sub-domains at risk, were reported privately to Microsoft by Numan Ozdemir and Ozan Agdepe of the company infosec Vullnerability. To demonstrate that host names could be hijacked, they redirected ten of Microsoft’s subdomains, including mybrowser.microsoft.com and identityhelp.microsoft.com, to their own pages hosted on Azure. It seems that Microsoft has, in the past 24 hours or so, finally disabled the subdomains disclosed by Vullnerability.
“An attacker can upload his own files, create his own databases, track traffic and create a clone of the main website,” said Ozdemir and Agdepe in a review by The register earlier this week before its release today. “Thus, it is not possible to detect whether a subdomain has been hijacked by an attacker or is actually managed by system authorities. Attackers threaten security by exploiting the trust of visitors.”
Ozdemir said El Reg a subdomain takeover requires little technical skill and, depending on the time it takes to find a vulnerable subdomain, could take five to 30 minutes to requisition.
Microsoft’s response is worrying. He has known about this danger for centuries, but persists with lax DNS management, and has refused to pay bug premiums for the problem. One solution would be to delete the DNS entries from the subdomains when their servers are down, or at least consider deleting the DNS entries from the subdomains that no longer respond to HTTP requests.
“We have detected more than 670 vulnerable subdomains and reported many vulnerable subdomains,” said Ozdemir. “We will continue to report all vulnerable subdomains … otherwise, no one will report them to Microsoft. This is an excellent reason why visitors should be careful when visiting Microsoft websites. If Microsoft doesn’t does not need us, we invite them to analyze all their sub-domains and correct all the vulnerable sub-domains.
“They can detect these vulnerabilities by comparing DNS records and HTTP responses, as we have done.”
A Microsoft spokesperson said El Reg: “We are aware of these reports and are taking appropriate action to help protect Microsoft services and customers.” ®
Sponsored:
Detecting cyber attacks as a small or medium business
