Microsoft subdomains hijacked following DNS security blunder

Vulnerability researchers were able to hijack a series of subdomains belonging to Microsoft after the company was found to be employing poor DNS practices.

Subdomains including mybrowser.microsoft.com and identityhelp.microsoft.com were among ten hijacked by a team of security researchers from Vullnerability. In all, more than 670 Microsoft subdomains were found to be at risk of being taken over.

See also:

• Let's Encrypt is revoking digital certificates after discovering CAA bug
• Microsoft releases PowerShell 7 for Windows, macOS and Linux
• Microsoft gives us a preview of a new Start menu concept for Windows 10

Numan Ozdemir and Ozan Agdepe from exploit and vulnerability alert service Vullnerability reported the hijacked domains to Microsoft, who addressed the security issue. The team hunted for subdomains which were no longer linked to a website. Hosted on Azure by Microsoft, it was very easy to see where a subdomain was supposed to redirect; for example, mybrowser.microsoft.com could be linked to browserver.azurewebsites.net.

In many cases, Vullnerability found that when Microsoft stopped using a particular subdomain, it left the related DNS record in place. All that needed to be done was to use an Azure account to request browserver.azurewebsites.net, and this could then be used to host anything the hijacker wanted, including fake Microsoft pages that gather usernames and passwords.

The whole process is terrifyingly simple. The researchers say that very little technical skill is required, and a successful hijack can be carried out in between 5 and 50 minutes. Ozdemir and Agdepe say:

Our team claimed some of those critical subdomains before attackers and reported them ethically to Microsoft.

They go on to point out that "yet another danger about subdomain takeover vulnerabilities" is the theft of account password and cookies, which they demonstrate in a video:

So far the researchers have only reported 10 of the insecure subdomains to Microsoft. Why not the rest? There's a reasonable excuse:

Microsoft doesn’t reward subdomain takeover vulnerabilities. We have already reported lots of vulnerable subdomains. We have already reported subdomains in this post but we will not report other 660+ vulnerable subdomains until Microsoft reward researchers. Also, until Microsoft offer bounties to researchers for subdomain takeover vulnerabilities, we exactly recommend you to don’t visit any subdomain of Microsoft because of it is impossible to understand is a subdomain hijacked or not.

You can read the full report over on the Vullnerability website.

Image credit: Sundry Photography / Shutterstock