14 DAY TRIAL // Microsoft’s dedicated service that allowed webmasters to create Windows 8 live tiles for their websites got hacked recently with a very simple subdomain takeover.
Back in the days when Windows 8 was the latest and greatest, Microsoft rolled out a web-based service that allowed website owners to take advantage of the live tile feature in the operating system.
With the BuildMyPinnedSite.com service, websites could just create a live tile that could then be pinned to the Start screen in order to display things like news and fresh content using the typical features of a live tile. These include an animated tile and a custom name.
In the meantime, Microsoft retired the service, but apparently forgot to do one critical thing: to protect the abandoned host against a subdomain takeover attack.
Issue already fixed, says Microsoft
As Hanno Böck of Golem.de discovered, the host was just redirected to a subdomain of Azure, so it was possible to simply take over this subdomain and then serve a custom live tile content to connected clients.
“The takeover works via a so-called CNAME nameserver entry. It redirects all requests for the host to the unregistered Azure subdomain. With an ordinary Azure account, we were able to register that subdomain and add the corresponding host name. Thus we were able to control which content is served on that host,” Böck explains.
By the looks of things, this service still receives some traffic, which means an unknown number of websites use it to serve live tiles to computers. Although specifics aren’t available, all of these were exposed to a potential malicious actor with the intend of serving dangerous content.
In a statement for OnMSFT, Microsoft says it resolved the problem by removing the subdomain, but no other specifics were shared as to why the vulnerability was left unfixed until an exploit went public.