Another cybercrime was reported a day before. A cybersecurity expert yesterday confirmed well-known unpatched loopholes in Microsoft’s Azure cloud check by misusing it to get control over Windows operating system Live Tiles, one of the main features Microsoft created into Windows 8 operating system in order to facilitate users.
It Presented in Windows 8, the Live tiles function was made to show content and notifications on the Start screen, letting users to always pull up-to-date knowledge from their favorite apps and web pages.
To give it a better and convenient look for websites and to offer their content as Live Tiles, Microsoft had a function to display available on a subdomain of a separate domain, for instance “notifications.buildmypinnedsite.com,” that permitted website management to automatically convert their RSS feeds into a distinct XML format and use this element as a Meta tag on their websites.
The facility, which Microsoft had previously closed due to some reasons, was hosted on its own Azure Cloud platform with the subdomain integrated/linked to an Azure account run by the organization.
But, it turns out that even after closing the RSS-to-XML converter service, the organization forgot to remove name server entries, exit the unclaimed subdomain still pointing to the Azure servers.
Hanno Böck, who found this problem, detained this opportunity to abuse the weakness and regained the same subdomain using a freshly made account on Azure. This step minimized the overall impact of the error.
Actually, the indirect control over Microsoft’s subdomain created it open for him to push arbitrary content or notifications on Windows Live Tiles of numerous app or websites that are still integrating Meta tags created by the closed service.
Bock said that with a common Azure account, they were able to record that subdomain and add the corresponding hostname. Therefore they were capable to observe which content is served on that host.
Moreover, he stated that web pages that comprise such Meta tags should delete them or if they need to keep the features, make the suitable XML files themselves.”
This step is usually known as “subdomain takeover,” a significant attack vector that can typically be diagnosed in the way most online services permit their users to operate web apps or blogs with a custom domain name.
For instance, when you make an application on Azure and need to let it available on the Internet with a custom domain name, the policy asks users to point their domain’s nameserver to Azure and then claim it within their account’s dashboard, without confirming the domain ownership rights.
Microsoft is known as a pioneer in the technological world. Since Microsoft Azure does not have an instrument to check if the account requesting a domain surely owns it, any Azure user can claim any unclaimed domain (or left unattended) that have name servers indicating to the cloud service.
Interestingly, Google’s Blogger service also had a similar issue, which the organization reinforced a few years ago by considering it mandatory for every blog owner to set a distinct, unique TXT track for their custom domains in order to check the claim.
Though it looks Microsoft has now protected its subdomain by deleting the nameservers, The Ehacking experts find out to Microsoft to acquire if the organization has any idea to resolve the “subdomain takeover” problem in its Azure cloud service platform that could finally affect other domain users as well. We are hoping that Microsoft will take precautionary measures to prevent such issues in the future.