Microsoft Loses Control Over Windows Tiles Subdomain (zdnet.com) 56
Microsoft has lost control over a crucial subdomain that Windows 8 and Windows 10 use to deliver RSS-based news and updates to Live Tiles -- animated Windows start menu items. From a report: The subdomain (notifications.buildmypinnedsite.com) is currently under the control of Hanno Bock, a security researcher and journalist for German tech news site Golem.de. The subdomain was part of the buildmypinnedsite.com service that Microsoft set up with the launch of Windows 8, and more specifically to allow websites to show live updates inside users' Start pages and menus.
[...] Today Bock said the service no longer works. "The host that should deliver the XML files -- notifications.buildmypinnedsite.com -- only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure." Bock registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply. "We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said. "Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.
[...] Today Bock said the service no longer works. "The host that should deliver the XML files -- notifications.buildmypinnedsite.com -- only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure." Bock registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply. "We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said. "Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.
this was such a great idea to start with (Score:5, Funny)
Re: this was such a great idea to start with (Score:1)
I'm pretty sure Windows still isn't free. So you get annoying ads in addition to overpaying for things.
Now here's my ad, since you didn't pay me to comment. AE911Truth Org
Re: (Score:2)
In the case of Windows you get to pay for it and also see ads. Who says you can't have it all?
Re: (Score:2)
But with microsoft, you do both
This will be devastating (Score:5, Funny)
Re: (Score:3)
to the 8 people who use windows live tiles. Once that researcher has control of Suzy Pottingblock of West Virginia's Mid 2000s Pentium 4 based computer and her recipe for egg salad (to say nothing of her extensive collection of crotchet stitches) he will dominate the world's pot lucks. And as we all know that's the first step to world conquest. Alexander the Great taught us that much.
Yeah, but have you had that egg salad though? Worth it!
Re: (Score:3)
Yes! (Score:2)
Incompetence of a multi-billion dollar business. (Score:1, Funny)
Look at the incompetence of a business that has to convince people to give it resources.
How much dumber and more dangerous would a government then be, given that a government just decrees its income regardless of performance? (Indeed, the worse a government performs, the more income it demands!)
Our best people do not aspire to be in government, to boot. Always keep this in mind when you read stories like this.
It's OK (Score:1)
The German police will be arresting him soon. He had the audacity to screw with a major corporation. His days are numbered.
wrong think is wrong (Score:1)
You don't seem to understand. He actually saved them, and the world. If he hadn't grabbed this, criminals would have and redirected it to serve up viruses to anyone using live tiles, which is.... almost everyone using a modern Windows right now. In addition, he contacted them to let them know about the issue and offered it back to them. But, they ignored his request. It is becoming expensive for him to continue hosting the service because of the vast number of incoming connections. He is warning the world h
Isn't it a Microsoft service? (Score:2)
Re: (Score:1)
Yes. See here [slashdot.org].
Common problem in the cloud. Subdomain takeover (Score:4, Insightful)
No need to do anything with the DNS.
You can create an Azure or Amazon bucket with any name you want, such as frog.denver, hfjskfhd.fjshdjd.hdhdjhs, or secure.microsoft.com. These are NOT DNS names. They're just arbitrary strings.
In the DNS, Microsoft has the DNS name pointed to Azure.
Azure then has that name pointed to a bucket which just happens to have the same name. It could have any name. If Microsoft deletes the bucket (or other resource), anyone else can create one that happens to have the same name.
Re: (Score:1)
Re: (Score:2)
What a stupid system. And what a major screw-up to not protect that for something critical. MS is truly incapable of professional operations.
No, that's not correct (Score:1)
Microsoft has not lost control over the domain. It's still Microsoft's domain. It points to an Azure domain where they operated the service, and that's gone, so someone else was able to get their server up and running at the address that the domain points to. Microsoft can and should change the domain to point to nowhere or to one of their own servers.
Re:No, that's not correct (Score:4, Interesting)
It may not be an entirely accurate word to use, but at the time of writing Microsoft was NOT in control of what their OS was obtaining from that address. They hadn't lost control of the domain, but they had lost control of the content.
Might as well post the original article (Score:1)
by Hanno Böck: https://www.golem.de/news/subd... [golem.de]
I don't understand (Score:3)
Why do companies insist on directing their traffic all over the internet? Microsoft is in control of www.microsoft.com. Why is there any reason for any service not to be the result of a wholly in control of the company sub-domain of this website?
This isn't the first time a major organisation has registered an absolutely stupid sounding domain with no direct link to any of their products (read: IP that would offer them some protection from domain theft) only to let it lapse and go to someone else. Hell it's not even the first time Microsoft has done it.
Re: (Score:3)
Security. By using a separate domain you create different contexts for cookies, HSTS configuration, etc.
Microsoft made bad choices and got lucky. (Score:2)
It's only a security kerfuffle because Microsoft got lucky that Hanno Bock didn't use the power Microsoft handed him. From what I can tell, Microsoft's default start menu is populated with pictures and links to news stories (typical corporate news rubbish). Microsoft made an extremely poor decision to set up the default start menu the way they did, drawing anything from an Internet-based source without explicit user approval and consent. Then Microsoft lost control of the domain feeding that info (not the f
Re: (Score:2)
Any domain with "my" in its name is marketroid trash anyhow and should be burned with fire. They also usually tend to be the first ones that get abandoned once the PHBs behind them get captivated by a new squirrel.
(For the pedants out there, that's "my" as the pronoun, not an arbitrary sub-string. Yes, myspace counts.)
Slashdot deleting comments again (Score:2, Interesting)
It appears Slashdot has deleted APK's thread about vulnerabilities affecting some ad blocking browser extensions. While it's a bit off-topic and he did make a bogus allegation that whipslash doesn't want to be embarrassed about hosts, there was no good reason to delete the thread.
I despise APK and, in fact, he's been demanding my name and address so he can fracture my skull. Yes, he made that specific threat. Despite him being a complete asshole and nutjob, his comments in this story didn't deserve to be de
Re:Slashdot deleting comments again (Score:4, Informative)
+1, well said.
Re: (Score:3)
Slashdot has been deleting comments routinely over the past several months.
While I do dislike comment deletion would this class as defending against a denial of service attack?
I have a dream (Score:2)
hello.jpg on a million desktops