Windows Live-Tile takeover from security researcher

[German]Windows 10 Windows 10 (but also Windows 8.x) use Live tiles in Apps to display content in the Start menu. German security researcher Hanno Böck was able to takeover the subdomain for the corresponding service and was able to display any content on the Live tiles in the start menu.


Windows Live Tiles

Since Windows 8 you could pin apps as tiles in the start menu. And if the app used a certain service, information could be dynamically displayed on the app tile. The function was called Microsoft Live Tiles. Thus, the weather app could be dynamically displayed weather conditions on its tile. There were apps for stock market news, news apps with the latest headlines and so on.

After take down the mobile business, Live Tiles wasn't anymore within Microsoft's scope. So the Live Tiles concept and also the service used to display live content was taken down.

The hijacked Live Tiles

Security researcher Hanno Böck became aware, that Microsoft has abandoned the service that could be used to write content from websites on live tiles. When the corresponding web service was switched off, the company failed to delete the corresponding name server entries, according to Hanno Böck.

The service was set up under the Azure domain This enabled Hanno Böck to launch a so-called subdomain take-over attack for the live tile service. This is a popular method to take over orphaned subdomains during attacks. Golem described this approach in this older article. An English article about that may be found here.

Hanno Böck could then take over the orphaned sub-domain via the CNAME name server entry via his Azure account. After the successful subdomain take-over attack for the live tile service hosted on an Azure domain, the service was under the control of Hanno Böck. Hanno Böck was then able to display any images and text in the tiles of other websites (which were configured as Live Tiles in the Windows Start menu).


Live-Tile Takeover in Windows 10 Startmenu
(Source: Screenshot from Video)

The picture above is a screenshot from a demonstration video Böck published. In the lower right corner of the Windows 10 start menu you can see live tiles with skulls and the title 'pwn'. Böck provided this with content via the hijacked service.

Hanno Böck reported this to Microsoft – perhaps to gain bug bountiest. However, there was no reaction from Microsoft, so he decided to disclose it. This was done today (17.4.2019) at 7:15 (MEZ) am in the article Microsoft loses control over Windows Tiles at news site Golem. This article contains many details about technical aspects. German magazine Heise, who were contacted by Böck, writes here that the Azure service in question is no longer available. Microsoft obviously deleted at least the CNAME name server entry on the hijacked sub-domain.

The episode shows once again how wobbly and risky the whole Microsoft tile rubbish is. But there are rumours that the tiles will be abolished with 'Windows Lite'. Would have been just a swerve of several years, starting from Windows 8 over Windows 10, in which the stuff should somehow be brought to people – praised like sour beer. No matter how you turn it: it's embarrassing for Redmond, but I'd say 'and it's typical'. What's your opinion?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *