• IT-Karriere:
  • Services:

Subdomain Takeover: Microsoft loses control over Windows Tiles

A service from Microsoft used to allow web page owners to deliver news on Windows Tiles as so-called Windows Live Tiles. After the service has been disabled, we were able to take over the corresponding subdomain and display our own Tile contents.

Artikel veröffentlicht am , Hanno Böck
Microsoft tried to introduce a new user interface with a tiled layout in Windows 7 but failed to impress the customers.
Microsoft tried to introduce a new user interface with a tiled layout in Windows 7 but failed to impress the customers. (Bild: Screenshot / Hanno Böck / Martin Wolf)

The Tiles service Microsoft introduced with Windows 8 has never been particularly successful. Microsoft has disabled a web service for the system but forgot to delete nameserver entries. This made the host vulnerable for a subdomain takeover attack - allowing us to control the contents. By doing so we were able to show arbitrary pictures and text within the tiles of other web pages.

Stellenmarkt
  1. ModuleWorks GmbH, Aachen
  2. Bundesnachrichtendienst, Berlin

The tiles can fullfil a number of functions. They allow web pages to display news on the tiles with a special meta tag. This function is called Windows Live Tiles. Web pages which support this service can be pinned as a tile.

Microsoft service converts RSS feed to Tiles

With a special XML-based file format, web pages can control the content of the tiles; for example, they can show the latest news. To make it easier for web pages to provide this function, Microsoft ran a service that automatically converted RSS feeds into that special XML format.

The web page that allows creating the corresponding meta tags is still online, although the service no longer works. The host that should deliver the XML files - notifications.buildmypinnedsite.com - only showed an error message from Microsoft's cloud service Azure.

Golem Akademie
  1. IT-Sicherheit für Webentwickler
    31. Mai - 1. Juni 2021, online
Weitere IT-Trainings

The abandoned host was vulnerable for a so-called subdomain takeover attack. The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure.

Azure subdomain could be re-registered

The takeover works via a so-called CNAME nameserver entry. It redirects all requests for the host to the unregistered Azure subdomain. With an ordinary Azure account, we were able to register that subdomain and add the corresponding host name. Thus we were able to control which content is served on that host.

Web pages using the defunct service from Microsoft included the Russian mail provider Mail.ru, Engadget, and German news sites Heise Online and Giga. Web pages that include these meta tags should remove them or, if they want to keep the functionality, create the corresponding XML files themselves.

Microsoft does not answer

We have informed Microsoft about this problem but haven't received a reply yet. We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs to hold the domain and block the corresponding subdomain even if we stop the web service and don't provide any content. Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks.

Windows Tiles were introduced on the start screen of Windows 8 and moved to the start menu in Windows 10. They have never been particularly popular. The web page Windowscentral speculated in January that the Tiles may be deprecated soon. The upcoming Windows Lite is rumored to come without Tiles already.

Update from April 18th, 11:56

Microsoft has now deleted the nameserver record and we no longer control the subdomain. We still haven't received a reply from Microsoft.

Bitte aktivieren Sie Javascript.
Oder nutzen Sie das Golem-pur-Angebot
und lesen Golem.de
  • ohne Werbung
  • mit ausgeschaltetem Javascript
  • mit RSS-Volltext-Feed


Anzeige
Top-Angebote
  1. 279,99€ (Vergleichspreis 332,19€)
  2. 599€ inkl. Rabattgutschein (Vergleichspreis 699€)
  3. 99,90€
  4. (u. a. FIFA 21 für 27,99€, Battlefield V für 13,99€, Star Wars Jedi Fallen Order für 24...

bst (golem.de) 17. Apr 2019

Hallo, wenn wir eine internationale Relevanz sehen, stellen wir ausgewählte Exklusiv...

FaDam 17. Apr 2019

Means, whats a nice Service to embedd in this tiles. Post your Ideas. A weather tile for...


Folgen Sie uns
       


Samsung Galaxy S21 und S21 Plus vorgestellt

Die beiden Grundmodelle von Samsungs Galaxy-S21-Serie kommen ohne abgerundete Displays und mit bekannten Kameras.

Samsung Galaxy S21 und S21 Plus vorgestellt Video aufrufen
Programm für IT-Jobeinstieg: Hoffen auf den Klebeeffekt
Programm für IT-Jobeinstieg
Hoffen auf den Klebeeffekt

Aktuell ist der Jobeinstieg für junge Ingenieure und Informatiker schwer. Um ihnen zu helfen, hat das Land Baden-Württemberg eine interessante Idee: Es macht sich selbst zur Zeitarbeitsfirma.
Ein Bericht von Peter Ilg

  1. Arbeitszeit Das Sechs-Stunden-Experiment bei Sipgate
  2. Neuorientierung im IT-Job Endlich mal machen!
  3. IT-Unternehmen Die richtige Software für ein Projekt finden

Weclapp-CTO Ertan Özdil: Wir dürfen nicht in Schönheit und Perfektion untergehen!
Weclapp-CTO Ertan Özdil
"Wir dürfen nicht in Schönheit und Perfektion untergehen!"

Der CTO von Weclapp träumt von smarter Software, die menschliches Eingreifen in der nächsten ERP-Generation reduziert. Deutschen Perfektionismus hält Ertan Özdil aber für gefährlich.
Ein Interview von Maja Hoock


    Fiat 500 als E-Auto im Test: Kleinstwagen mit großem Potenzial
    Fiat 500 als E-Auto im Test
    Kleinstwagen mit großem Potenzial

    Fiat hat einen neuen 500er entwickelt. Der Kleine fährt elektrisch - und zwar richtig gut.
    Ein Test von Peter Ilg

    1. Vierradlenkung Elektrischer GMC Hummer SUV fährt im Krabbengang seitwärts
    2. MG Cyberster MG B Roadster mit Lasergürtel und Union Jack
    3. Elektroauto E-Auto-Prämie übersteigt in 2021 schon Vorjahressumme

      •  /