Abo
  • IT-Karriere:

Subdomain Takeover: Microsoft loses control over Windows Tiles

A service from Microsoft used to allow web page owners to deliver news on Windows Tiles as so-called Windows Live Tiles. After the service has been disabled, we were able to take over the corresponding subdomain and display our own Tile contents.

Artikel veröffentlicht am , Hanno Böck
Microsoft tried to introduce a new user interface with a tiled layout in Windows 7 but failed to impress the customers.
Microsoft tried to introduce a new user interface with a tiled layout in Windows 7 but failed to impress the customers. (Bild: Screenshot / Hanno Böck / Martin Wolf)

The Tiles service Microsoft introduced with Windows 8 has never been particularly successful. Microsoft has disabled a web service for the system but forgot to delete nameserver entries. This made the host vulnerable for a subdomain takeover attack - allowing us to control the contents. By doing so we were able to show arbitrary pictures and text within the tiles of other web pages.

Stellenmarkt
  1. SSP Safety System Products GmbH & Co. KG, Spaichingen
  2. Zentrum Bayern Familie und Soziales, Bayreuth

The tiles can fullfil a number of functions. They allow web pages to display news on the tiles with a special meta tag. This function is called Windows Live Tiles. Web pages which support this service can be pinned as a tile.

Microsoft service converts RSS feed to Tiles

With a special XML-based file format, web pages can control the content of the tiles; for example, they can show the latest news. To make it easier for web pages to provide this function, Microsoft ran a service that automatically converted RSS feeds into that special XML format.

The web page that allows creating the corresponding meta tags is still online, although the service no longer works. The host that should deliver the XML files - notifications.buildmypinnedsite.com - only showed an error message from Microsoft's cloud service Azure.

The abandoned host was vulnerable for a so-called subdomain takeover attack. The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure.

Azure subdomain could be re-registered

The takeover works via a so-called CNAME nameserver entry. It redirects all requests for the host to the unregistered Azure subdomain. With an ordinary Azure account, we were able to register that subdomain and add the corresponding host name. Thus we were able to control which content is served on that host.

Web pages using the defunct service from Microsoft included the Russian mail provider Mail.ru, Engadget, and German news sites Heise Online and Giga. Web pages that include these meta tags should remove them or, if they want to keep the functionality, create the corresponding XML files themselves.

Microsoft does not answer

We have informed Microsoft about this problem but haven't received a reply yet. We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs to hold the domain and block the corresponding subdomain even if we stop the web service and don't provide any content. Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks.

Windows Tiles were introduced on the start screen of Windows 8 and moved to the start menu in Windows 10. They have never been particularly popular. The web page Windowscentral speculated in January that the Tiles may be deprecated soon. The upcoming Windows Lite is rumored to come without Tiles already.

Update from April 18th, 11:56

Microsoft has now deleted the nameserver record and we no longer control the subdomain. We still haven't received a reply from Microsoft.



Anzeige
Spiele-Angebote
  1. 4,99€
  2. 33,99€
  3. 13,95€
  4. 4,99€

bst (golem.de) 17. Apr 2019 / Themenstart

Hallo, wenn wir eine internationale Relevanz sehen, stellen wir ausgewählte Exklusiv...

FaDam 17. Apr 2019 / Themenstart

Means, whats a nice Service to embedd in this tiles. Post your Ideas. A weather tile for...

Kommentieren


Folgen Sie uns
       


Anthem - Fazit

Wir ziehen unser Fazit zu Anthem und erklären, was an Biowares Actionrollenspiel gelungen und weniger überzeugend ist.

Anthem - Fazit Video aufrufen
TES Blades im Test: Tolles Tamriel trollt
TES Blades im Test
Tolles Tamriel trollt

In jedem The Elder Scrolls verbringe ich viel Zeit in Tamriel, in TES Blades allerdings am Smartphone statt am PC oder an der Konsole. Mich überzeugen Atmosphäre und Kämpfe des Rollenspiels; der Aufbau der Stadt und der Charakter-Fortschritt aber werden geblockt durch kostspielige Trolle.
Ein Test von Marc Sauter

  1. Bethesda TES Blades startet in den Early Access
  2. Bethesda The Elder Scrolls 6 erscheint für nächste Konsolengeneration

Urheberrechtsreform: Was das Internet nicht vergessen sollte
Urheberrechtsreform
Was das Internet nicht vergessen sollte

Die Reform des europäischen Urheberrechts ist eine Niederlage für viele Netzaktivisten. Zwar sind die Folgen der Richtlinie derzeit kaum absehbar. Doch es sollten die richtigen Lehren aus der jahrelangen Debatte mit den Internetgegnern gezogen werden.
Eine Analyse von Friedhelm Greis

  1. Leistungsschutzrecht VG Media will Milliarden von Google
  2. Urheberrecht Uploadfilter und Leistungsschutzrecht endgültig beschlossen
  3. Urheberrecht Merkel bekräftigt Zustimmung zu Uploadfiltern

Online-Banking: In 150 Tagen verlieren die TAN-Zettel ihre Gültigkeit
Online-Banking
In 150 Tagen verlieren die TAN-Zettel ihre Gültigkeit

Zum 14. September 2019 wird ein wichtiger Teil der Zahlungsdiensterichtlinie 2 für die meisten Girokonto-Kunden mit Online-Zugang umgesetzt. Die meist als indizierte TAN-Liste ausgegebenen Transaktionsnummern können dann nicht mehr genutzt werden.
Von Andreas Sebayang

  1. Banking-App Comdirect empfiehlt, Sicherheitswarnung zu ignorieren

    •  /