Microsoft’s subdomain landscape is confusing. Again and again new ones are added to the thousands of subdomains and old ones disappear. However, the Microsoft admins regularly forget to delete the DNS entries for the subdomains. This makes it easy to take over the subdomains that often point to the Microsoft cloud – a so-called subdomain takeover,
Job market
Security researcher Michel Gaschet reported 259 such subdomains to Microsoft last year. But the trick is not only used by him, a dodgy Indonesian gambling site was discovered among at least four neglected Microsoft subdomains. First there was the online magazine ZDnet reports,
According to Gaschet, Microsoft only cares for five to ten percent of the reported orphaned subdomains. Well-known subdomains like cloud.microsoft.com or account.dpedge.microsoft.com fixed; however, the company would not take care of the majority of the subdomains it reported. Gaschet suspects that this is also due to the fact that subdomain takeovers are not counted in Microsoft’s bug bounty program. The problems would therefore not be given priority.
A taken over subdomain offers many possibilities of attack. For example, phishing websites can be operated under the legitimate microsoft.com or msn.com domains, or an attempt can be made to tap cookies under the main domain.
Although the cookies are separated between different subdomains and domains (same-origin policy5), many domains share cookies with their subdomains. For example, single sign-on services (SSO) are implemented via subdomains. Both the network equipment supplier Ubiquiti and Uber were able to tap session cookies using subdomain takeover and thus take over sessions. Gaschet also discovered attacks at Microsoft, for example an Indonesian gaming site that had taken over at least four Microsoft subdomains: portal.ds.microsoft.com. perfect10.microsoft.com. ies.global.microsoft.com and blog-ambassadors.microsoft.com,
Windows tiles could also be taken over
Already in April 2019, Golem.de was able to take over the subdomain notifications.buildmypinnedsite.comthat could be used to control the tiles or tiles that Microsoft introduced with Windows 8. The Microsoft domain was no longer active, but the Microsoft admins had forgotten to delete the CNAME entry in the DNS. This referred to a no longer registered subdomain in the Azure cloud, which Golem.de could register and then deliver content to the Windows tiles.
The problem of orphaned subdomains is not limited to Microsoft, Admins delete websites in the cloud again and again, but also forget to adjust the DNS servers. In contrast to the commercial cloud services, it does not send a reminder in the form of an invoice. In June last year, the security company Checkpoint, for example, take over an orphaned subdomain from the game manufacturer Electronic Arts (EA),
The security companies operate a phishing website under the subdomain, in which signin.ea.com is integrated in an iframe. If a user logs in via this website, the security companies were able to have the access token handed over to the subdomain under their control via several redirects and thus had access to a player’s SSO token – and thus via the player’s EA account.
Please activate Javascript.
Or use that Golem-pur offer
and read Golem.de
- without advertisement
- with javascript turned off
- with RSS full text feed
–
