Researchers have devised another way to carry out an attack, for example, inviting victims to download a fake update from an apparently trusted URL such as mybrowser.microsoft.com.
Security researchers Numan Ozdemir and Ozan Agdepe from security firm VULLNERABILITY demonstrated that hundreds of sub-domains belonging to Microsoft could potentially be
Experts identified at least 670 subdomains
Many sub-domains belonging to the IT giant, such as dev.social.microsoft.com and web.visualstudio.com, are hosted on Azure cloud.
Let’s consider mybrowser.microsoft.com, it might have resolved by the DNS to something like webserver9000.azurewebsites.net.
But experts discovered that Microsoft did not take care of DNS entries for the sub-domains that for some reason it stops to update.
Back to the above example, the sub-domain mybrowser.microsoft.com would still point to a server instance on webserver9000.azurewebsites.net even it has been shut down.
In this scenario, an attacker could potentially get an Azure account, set up a web server instance, and request the hostname webserver9000 (webserver9000.azurewebsites.net). This means that visitors
“So, it is not possible to detect that the
Ozdemir and Agdepe demonstrated that hundreds of Microsoft sub-domains could be hijacked and reported them to the company.
“There are 2 points we should care about:
Microsoft acknowledged the issue and deactivated these sub-domains.
Ozdemir explained that is is quite simple for an attacker to take full control over a sub-domain, it could take anywhere from five to 30 minutes to attackers.
“Attacker firstly detects subdomains, then scan them to determine if they are vulnerable or not. We have developed an automated tool for it.” Ozdemir told me. “Once the attacker has found a vulnerable sub-domain, he will register the hosting provider and get that namespace.
It is easy to do, and it is also generally free. So, everybody can do it.
You have to follow your subdomains regularly If your hosting service expires,
The bad aspect of the story is the way Microsoft has managed the situation, it has refused to pay out bug bounties for the issue even if the bug bounty program of the company covers sub-domain security.
Experts pointed out that Microsoft only needs to delete DNS entries for sub-domains when decommissioning their servers or remove DNS entries for those sub-domains that no longer respond to HTTP requests.
Experts explained that there are a lot of service providers vulnerable to
“There are lots of service providers vulnerable to
(SecurityAffairs – hacking, Microsoft sub-domains)