Microsoft Was Routing Example-Domain Traffic To a Japanese Cable Company for Five Years (arstechnica.com) 15
Microsoft has quietly suppressed an unexplained anomaly on its network that was routing traffic destined for example.com -- a domain reserved under RFC2606 specifically for testing purposes and not obtainable by any party -- to sei.co.jp, a domain belonging to Japanese electronics cable maker Sumitomo Electric.
The misconfiguration meant anyone attempting to set up an Outlook account using an example.com email address could have inadvertently sent test credentials to Sumitomo Electric's servers. Under RFC2606, example.com resolves only to IP addresses assigned to the Internet Assigned Names Authority. Microsoft confirmed it has "updated the service to no longer provide suggested server information for example.com" and said it is investigating.
Security researcher Dan Tentler of Phobos Group noted the company appears to have simply removed the problematic endpoint rather than fixing the underlying routing -- "not found" errors now appear where the JSON responses previously occurred. Tinyapps.org, which noted the behavior earlier this month, said the misconfiguration had persisted for five years. Microsoft has not explained how Sumitomo Electric's domain entered its configuration. The incident follows 2024's revelation that a forgotten test account with admin privileges enabled Russia-state hackers to monitor Microsoft executives' email for two months.
The misconfiguration meant anyone attempting to set up an Outlook account using an example.com email address could have inadvertently sent test credentials to Sumitomo Electric's servers. Under RFC2606, example.com resolves only to IP addresses assigned to the Internet Assigned Names Authority. Microsoft confirmed it has "updated the service to no longer provide suggested server information for example.com" and said it is investigating.
Security researcher Dan Tentler of Phobos Group noted the company appears to have simply removed the problematic endpoint rather than fixing the underlying routing -- "not found" errors now appear where the JSON responses previously occurred. Tinyapps.org, which noted the behavior earlier this month, said the misconfiguration had persisted for five years. Microsoft has not explained how Sumitomo Electric's domain entered its configuration. The incident follows 2024's revelation that a forgotten test account with admin privileges enabled Russia-state hackers to monitor Microsoft executives' email for two months.
misconfiguration on Microsoft DNS servers? (Score:2)
Well done (Score:3, Funny)
Re: (Score:2)
I wonder what they are smoking.
Monkeys Could Fly Out My Butt (Score:2)
Such a convoluted and manufactured premise.
But the "security" company got their name in the news. So, they've got that going for them.
If you want passwords, there are plenty of lists available for free and for sale. There's no need to go to all this trouble.
Might want to see a proctologist about that (Score:2)
RFC 2606 (Score:2)
I checked out RFC 2606 [rfc-editor.org], and there is nothing there about using IANA assigned IP addresses (in case of IPv6, it's 2001::/23). It would seem to me that the most appropriate IP address to use for example.com would be 2001:db8:1:1::0af5, since one would be mapping example.com to an address from the reserved space for examples in IPv6
Sorry, I don't know if there is an equivalent block in IPv4 for documentation purposes like the 2001:db8::/32. The only IANA assigned addresses have 0 in the first byte of an IP
Re: (Score:3)
The RFC states the following:
6. DNS server operators SHOULD be aware that example names are
reserved for use in documentation.
7. DNS Registries/Registrars MUST NOT grant requests to register
example names in the normal way to any person or entity. All
example names are registered in perpetuity to IANA:
Re: (Score:2)
Never say anything private when you think no one is listening otherwise you deserve to have everyone know your secret?
Because no worthwhile human ever makes inane mistakes; even when they should be able to rely on a multi-billion dollar corporation to follow a specification...
In related news ... (Score:2)
I understand the link between these sites and ad-blocker walls. But there are a couple of issues: 1) I'm not running an ad blocker. That's my ISP doing the blocking, so I can't "turn it off". 2) Why, upon de
Re: (Score:1)
Disable javascript on slashdot and all of your dreams will come true...
Re: (Score:2)
Disable javascript on slashdot
It's not Slashdot loading this stuff directly. It's the ad sites.
It's also not all JavaScript. Some is broken CSS and remote styles.
Re: In related news ... (Score:2)
My dream includes being able to see moderation details
Re: (Score:2)
That's why not running uMatrix or disabling its deny-by-default mode is insane.
Reminds me of... (Score:2)
...MCSE school. Having an illuminating discussion wit the instructor over using the .local TLD for internal DNS. Followed by "well, just use .mslocal, that will be safe forever."
Admittedly this was 1993, when no one could conceive of new TLDs. Except for a few of us CNEs who were trained to think ahead, occasionally.
We were trained to have our clients register their domain, immediately, and run their own internal DNS, back when it was truly wizardry. But worth it.
Why does Outlook etc. even permit this? Wel