14 DAY TRIAL // The Finnish individual that obtained a fraudulent SSL certificate for Microsoft’s Windows Live domain says that he had contacted the company about the security risk associated with unrestricted registration of privileged usernames for the domain but no reply was returned.
The certificate has been revoked by the issuing certificate authority. On Monday, Microsoft released a security advisory about an update for the Certificate Trust List in Windows that invalidated the illegal certificate.
The update has to be distributed to all supported versions of Windows as well as Mozilla Firefox, which relies on its own certificate store.
Obtaining the certificate was easy
If the certificate falls in the wrong hands, users with systems without the updated list of valid certificates are vulnerable to phishing scams spoofing Windows content as well as man-in-the-middle (MitM) attacks that can help an attacker extract sensitive information from apparent secure connections.
The issue occurred because it was possible to create an email address alias with a privileged username (admin@, administrator@, postmaster@, hostmaster@ or webmaster@), which is what the administrator did.
Taking things a bit further, he issued a request for a certificate for “live.fi” domain from the designated certificate authority, which was processed and approved.
Validation of such requests is completed when the user confirms a code sent by the certificate authority to the privileged email address, which is this case was [email protected].
Admin gets Microsoft account suspended
The admin said that he did all this “just for fun,” after noticing in Microsoft’s email service the feature allowing the creation of alias email addresses.
In a report from Finnish online publication Tivi.fi, the admin says that the security lapse was discovered in January and that he immediately contacted the Finnish Communications Regulatory Authority about the matter, but received no assistance.
Then, he proceeded to inform multiple Microsoft employees about the problem, but no communication came back.
However, on Thursday, the system admin was informed that his live.fi email address has been suspended and, with it, the account for the Xbox service and his Lumia smartphone.