Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops
Lax DNS leaves door wide open for miscreants to impersonate Windows giant on its own websites
If you saw a link to
mybrowser.microsoft.com, would you have trusted it? Downloaded and installed an Edge update from it? How about
identityhelp.microsoft.com to change your password?
Well, you shouldn't have, because the pair were among sub-domains hijacked by vulnerability researchers to prove Microsoft is lax with its own online security.
In short, the Windows giant allowed hundreds of sub-domains – at least 670 – on its big-name microsoft.com, skype.com, visualstudio.com, and windows.com properties to potentially fall into the hands of miscreants who could have commandeered them for phishing and malware distribution.
It basically would work like this, similar to previous reports of Microsoft web joy-riding: The tech goliath had loads of sub-domains, such as
web.visualstudio.com, served by systems hosted in its Azure cloud. For example,
mybrowser.microsoft.com might have resolved to something like
webserver9000.azurewebsites.net. When you visited
mybrowser.microsoft.com, your browser would have been directed, via DNS, to fetch a page from
Now, as we said, Microsoft has loads of these sub-domains, and after a while it just stops updating some of them and abandons them. Unfortunately, and crucially, it leaves the sub-domains' DNS records in place, so, for example,
mybrowser.microsoft.com would still point to
webserver9000.azurewebsites.net even though the server instance handling it was long since shut down.
This is where the miscreants swoop in. They get an Azure account, and spin up a web server instance, and request the hostname
webserver9000.azurewebsites.net in its full form. Now, when people visit
mybrowser.microsoft.com, they are directed instead to the criminals'
webserver9000.azurewebsites.net, which offers victims downloads that look like browser updates but are actually ransomware or malware. Or pages that phish for their Office 365 username and password. You get the idea.
White-listing Azure cloud connections to grease your Office 365 wheels? About that...READ MORE
This security shortcoming, and nearly 700 example at-risk sub-domains, were privately reported to Microsoft by Numan Ozdemir and Ozan Agdepe of infosec outfit Vullnerability. To demonstrate the hostnames could be hijacked, they redirected ten of Microsoft's sub-domains, including
identityhelp.microsoft.com, to their own pages hosted on Azure. It appears Microsoft has, in the past 24 hours or so, finally deactivated the sub-domains disclosed by Vullnerability.
"An attacker can upload his own files, create his own databases, track traffic, and create a clone of the main website," Ozdemir and Agdepe explained in an advisory seen by The Register earlier this week ahead of its publication today. "So, it is not possible to detect whether a sub-domain has been hijacked by an attacker or is really managed by system authorities. Attackers threaten security by exploiting visitors' trust."
Ozdemir told El Reg a sub-domain takeover requires little in the way of technical skill, and, depending how long it takes to stumble upon a vulnerable sub-domain, it could take anywhere from five to 30 minutes to commandeer.
Microsoft's response is concerning. It has known about this danger for ages, yet persists with lax DNS management, and has refused to pay out bug bounties for the issue. Ozdemir and Agdepe argued Microsoft's reward scheme included sub-domain security; Redmond disagreed with that interpretation.
All Microsoft has to do is delete DNS entries for sub-domains when decommissioning their servers, or at least consider removing DNS entries for those sub-domains that no longer respond to HTTP requests.
"We have detected more than 670 vulnerable sub-domains, and reported lots of vulnerable sub-domains," said Ozdemir. "We will continue to report all vulnerable sub-domains ... otherwise, nobody will report them to Microsoft. It's a great reason why visitors should be careful while visiting Microsoft's websites. If Microsoft doesn't need us, we invite them to scan all their sub-domains and fix all of vulnerable sub-domains.
"They can detect those vulnerabilities by comparing DNS records and HTTP responses, just as we did."
A spokesperson for Microsoft told El Reg: "We are aware of such reports and are taking appropriate action as needed to help protect Microsoft services and customers." ®