Microsoft Subdomains vulnerability exposes accounts to hijacking which can be exploited and used in malware and phishing attacks against users and employees.
These vulnerable subdomains, if hijacked, could trick users into thinking that they are on a legit web domain but in fact, they are on a subdomain exploited by attackers.
Any information that users share on these subdomains including usernames and passwords could be exposed to attackers.
Experts believe DNS misconfiguration is the cause of this vulnerability.
Numan Ozdemir and Ozan Agdepe experts from the cybersecurity company, VULNERABILITY, discovered this flaw and reported it to Microsoft.
Microsoft states that they are aware of this issue and are taking proper action to protect customers and services.
There is no evidence on whether the vulnerability has been exploited however this flaw is now in the public domain meaning that it could be on threat actors’ radar.
Experts found at least 670 vulnerable subdomains; according to VULNERABILITY, the following subdomains contain the vulnerability but all of them have been reported to Microsoft and fixed.
- web.visualstudio.com / webeditor.visualstudio.com
Threat actors can do a lot of things by exploiting these subdomains
By exploiting this vulnerability, threat actors can steal credentials and important documents, drop malware, steal passwords, etc. VULNERABILITY lists what threat actors can specifically do on each vulnerable subdomain:
- ask visitors for ID cards or their account credentials on identityhelp.microsoft.com
- force visitors to install an extension or update their browsers and spy on them by embedding a spyware/malware on mybrowser.microsoft.com
- ask visitors to upload their project files enabling threat actors to steal their codes on webeditor.visualstudio.com
- ask team members to upload sensitive and corporation documents on data.teams.microsoft.com by Teams App
- ask for money to recharge users Skype account on sxt.cdn.skype.com
- force visitors to download malware on download.collaborate.microsoft.com
- manipulate the stats and graphs on incidentgraph.microsoft.com
- steal administrator passwords on admin.recognition.microsoft.com
- manipulate API queries or collect sensitive device information on api.getdevices.microsoft.com
- collect information about developers on dev.social.microsoft.com
- collect information about certificates on manage.codesign.microsoft.com
- publish new security updates and force users to download them on *.securitycenter.windows.com
The Subdomain Vulnerability is not something new
The Risk of hijacking Microsoft Subdomains has been discovered and reported before; Michel Gaschet, a security researcher and a developer for NIC.gp said in an interview with ZDNet that he has been reporting the subdomains with misconfigured DNS records he found to Microsoft for the past three years; Microsoft has either fixed these subdomains or ignored the reports entirely. Gaschet says he reported 21 vulnerable msn.com subdomains in 2017 and 142 misconfigured microsoft.com subdomains in 2019 also another list of 117 vulnerable microsoft.com subdomains were reported to Microsoft. Gaschet stated that of all the misconfigured subdomains he reported, Microsoft only fixed around 5% to 10% of them.
Secure Your Organization’s Mind with Securemind.se