Subdomain Takeover: Microsoft loses control over Windows Tiles

A service from Microsoft used to allow web page owners to deliver news on Windows Tiles as so-called Windows Live Tiles. After the service has been disabled, we were able to take over the corresponding subdomain and display our own Tile contents.

Artikel veröffentlicht am , Hanno Böck
Microsoft tried to introduce a new user interface with a tiled layout in Windows 7 but failed to impress the customers.
Microsoft tried to introduce a new user interface with a tiled layout in Windows 7 but failed to impress the customers. (Bild: Screenshot / Hanno Böck / Martin Wolf)

The Tiles service Microsoft introduced with Windows 8 has never been particularly successful. Microsoft has disabled a web service for the system but forgot to delete nameserver entries. This made the host vulnerable for a subdomain takeover attack - allowing us to control the contents. By doing so we were able to show arbitrary pictures and text within the tiles of other web pages.

  1. IT-Engineer / Administrator Network Services (m/w/d)
    GILDEMEISTER Beteiligungen GmbH, Bielefeld
  2. Systemadministrator (m/w/d) Customer Service
    Dürkopp Fördertechnik GmbH, Bielefeld

The tiles can fullfil a number of functions. They allow web pages to display news on the tiles with a special meta tag. This function is called Windows Live Tiles. Web pages which support this service can be pinned as a tile.

Microsoft service converts RSS feed to Tiles

With a special XML-based file format, web pages can control the content of the tiles; for example, they can show the latest news. To make it easier for web pages to provide this function, Microsoft ran a service that automatically converted RSS feeds into that special XML format.

The web page that allows creating the corresponding meta tags is still online, although the service no longer works. The host that should deliver the XML files - - only showed an error message from Microsoft's cloud service Azure.

Golem Karrierewelt
  1. C++ Programmierung Grundlagen (keine Vorkenntnisse benötigt): virtueller Drei-Tage-Workshop
    16.-18.01.2023, virtuell
  2. Jira für Systemadministratoren: virtueller Zwei-Tage-Workshop
    14./15.02.2023, virtuell
Weitere IT-Trainings

The abandoned host was vulnerable for a so-called subdomain takeover attack. The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure.

Azure subdomain could be re-registered

The takeover works via a so-called CNAME nameserver entry. It redirects all requests for the host to the unregistered Azure subdomain. With an ordinary Azure account, we were able to register that subdomain and add the corresponding host name. Thus we were able to control which content is served on that host.

Web pages using the defunct service from Microsoft included the Russian mail provider, Engadget, and German news sites Heise Online and Giga. Web pages that include these meta tags should remove them or, if they want to keep the functionality, create the corresponding XML files themselves.

Microsoft does not answer

We have informed Microsoft about this problem but haven't received a reply yet. We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs to hold the domain and block the corresponding subdomain even if we stop the web service and don't provide any content. Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks.

Windows Tiles were introduced on the start screen of Windows 8 and moved to the start menu in Windows 10. They have never been particularly popular. The web page Windowscentral speculated in January that the Tiles may be deprecated soon. The upcoming Windows Lite is rumored to come without Tiles already.

Update from April 18th, 11:56

Microsoft has now deleted the nameserver record and we no longer control the subdomain. We still haven't received a reply from Microsoft.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed

Aktuell auf der Startseite von
Amazon Shopper Panel
Amazon zahlt für Überwachung des Smartphone-Datenverkehrs

Wer seinen gesamten Smartphone-Datenverkehr über Amazons Server leitet, wird mit einem monatlichen Gutschein dafür bezahlt.

Amazon Shopper Panel: Amazon zahlt für Überwachung des Smartphone-Datenverkehrs
  1. Vodafone und Telekom: LTE-Ausbau in Berliner Bahntunneln dauert weitere Jahre
    Vodafone und Telekom
    LTE-Ausbau in Berliner Bahntunneln dauert weitere Jahre

    Laut Senatsverwaltung kam der Ausbau der Base-Transceiver-Station-Hotels nicht wie geplant voran. Nicht nur die Kunden von Vodafone und Telekom haben das Nachsehen.

  2. Northrop Grumman: B21 Raider als erster digitaler Bomber vorgestellt
    Northrop Grumman
    B21 Raider als erster digitaler Bomber vorgestellt

    Northrop Grumman hat mit dem B-21 Raider eine neuen Tarnkappenbomber vorgestellt. Dabei kamen agile Softwareentwicklung und digitales Engineering zum Einsatz.

  3. Soziale Netzwerke: Liken bei Hasspostings kann strafbar sein
    Soziale Netzwerke
    Liken bei Hasspostings kann strafbar sein

    Facebook-Nutzer, die nicht davor zurückschrecken, diskriminierende oder beleidigende oder Postings zu liken, sollten sich das gut überlegen. Denn das Drücken des Gefällt-mir-Buttons kann hier erhebliche rechtliche Folgen haben.
    Von Harald Büring

Du willst dich mit beruflich verändern oder weiterbilden?
Zum Stellenmarkt
Zur Akademie
Zum Coaching
  • Schnäppchen, Rabatte und Top-Angebote
    Die besten Deals des Tages
    Daily Deals • PS5-Bundle vorbestellbar • SanDisk Extreme PRO 1TB 141,86€ • Amazon-Geräte bis -53% • Mindstar: Alphacool Eiswolf 2 AiO 360 199€, AMD-Ryzen-CPUs zu Bestpreisen • Alternate: WD_BLACK P10 2TB 76,89€ • Advent-Tagesdeals bei MediaMarkt/Saturn • Thrustmaster Ferrari GTE Wheel 87,60€ [Werbung]
    •  /