Back in the day, when Microsoft was full of promise and high hopes for Windows 8 and its forced implementation of a tiled interface, a service and solution for websites to be able to create their own Live Tile was introduced at buildmypinnedsite.com. Websites were able to create Live Tiles for their publications, including converted RSS feeds for “live” news, and allow users to pin those tiles to their Start Screens.
It was never very successful (nor was Windows 8, for that matter), and Microsoft discontinued the service. BuildMyPinnedSite.com is still an active site, but the actual service no longer works. However, as discovered by Hanno Böck and posted today on German site golem.de, Microsoft not only never bothered to take down the site, but they left the Azure service running the live tiles ripe for a subdomain takeover attack, and that’s exactly what Böck did, as a proof of concept:
The host was redirected to a subdomain of Azure. However this subdomain wasn’t registered with Azure.
Azure subdomain could be re-registered
The takeover works via a so-called CNAME nameserver entry. It redirects all requests for the host to the unregistered Azure subdomain. With an ordinary Azure account, we were able to register that subdomain and add the corresponding host name. Thus we were able to control which content is served on that host.
While Böck does not appear to have any ill intentions, and indeed is disappointed that Microsoft has not only not shut down the vulnerability but not even acknowledged his requests for clarification. For right now, he’s controlling the sub-domain, but as there’s “a decent amount of traffic reaching this host,” he’s running up costs keeping it active and the next one to come along may not be so honest:
Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks.
There are probably many sites out there that still have the live tiles code active, forgotten about in header files after interest in live tiles died down, and Microsoft has an obligation to not only properly shut this service down, but to ensure that its forays into various services in the future are properly maintained as well. We’re asking Microsoft for comment and will report back on any further information.
Update: Microsoft has responded to our request for more information, and has fixed the issue, which is what the original poster was after to begin with:
“We’ve resolved this issue and the subdomain has been removed.” – a Microsoft spokesperson