{"id":9479,"date":"2019-04-17T18:26:55","date_gmt":"2019-04-17T16:26:55","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=9479"},"modified":"2019-05-14T22:30:37","modified_gmt":"2019-05-14T20:30:37","slug":"windows-live-tile-takeover-from-security-researcher","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/04\/17\/windows-live-tile-takeover-from-security-researcher\/","title":{"rendered":"Windows Live-Tile takeover from security researcher"},"content":{"rendered":"

[German<\/a>]Windows 10 Windows 10 (but also Windows 8.x) use Live tiles in Apps to display content in the Start menu. German security researcher Hanno B\u00f6ck was able to takeover the subdomain for the corresponding service and was able to display any content on the Live tiles in the start menu.<\/p>\n

<\/p>\n

Windows Live Tiles<\/h2>\n

Since Windows 8 you could pin apps as tiles in the start menu. And if the app used a certain service, information could be dynamically displayed on the app tile. The function was called Microsoft Live Tiles. Thus, the weather app could be dynamically displayed weather conditions on its tile. There were apps for stock market news, news apps with the latest headlines and so on.<\/p>\n

After take down the mobile business, Live Tiles wasn't anymore within Microsoft's scope. So the Live Tiles concept and also the service used to display live content was taken down.<\/p>\n

The hijacked Live Tiles<\/h2>\n

Security researcher Hanno B\u00f6ck became aware, that Microsoft has abandoned the service that could be used to write content from websites on live tiles. When the corresponding web service was switched off, the company failed to delete the corresponding name server entries, according to Hanno B\u00f6ck.<\/p>\n

The service was set up under the Azure domain notifications.buildmypinnedsite.com. This enabled Hanno B\u00f6ck to launch a so-called subdomain take-over attack for the live tile service. This is a popular method to take over orphaned subdomains during attacks. Golem described this approach in this older article<\/a>. An English article about that may be found here<\/a>.<\/p>\n

Hanno B\u00f6ck could then take over the orphaned sub-domain via the CNAME name server entry via his Azure account. After the successful subdomain take-over attack for the live tile service hosted on an Azure domain, the service was under the control of Hanno B\u00f6ck. Hanno B\u00f6ck was then able to display any images and text in the tiles of other websites (which were configured as Live Tiles in the Windows Start menu).<\/p>\n

\"Live-Tile
\n(Source: Screenshot from Video)<\/p>\n

The picture above is a screenshot from a demonstration video B\u00f6ck published. In the lower right corner of the Windows 10 start menu you can see live tiles with skulls and the title 'pwn'. B\u00f6ck provided this with content via the hijacked service.<\/p>\n

Hanno B\u00f6ck reported this to Microsoft \u2013 perhaps to gain bug bountiest. However, there was no reaction from Microsoft, so he decided to disclose it. This was done today (17.4.2019) at 7:15 (MEZ) am in the article Microsoft loses control over Windows Tiles<\/a> at news site Golem. This article contains many details about technical aspects. German magazine Heise, who were contacted by B\u00f6ck, writes here<\/a> that the Azure service in question is no longer available. Microsoft obviously deleted at least the CNAME name server entry on the hijacked sub-domain.<\/p>\n

The episode shows once again how wobbly and risky the whole Microsoft tile rubbish is. But there are rumours that the tiles will be abolished with 'Windows Lite'. Would have been just a swerve of several years, starting from Windows 8 over Windows 10, in which the stuff should somehow be brought to people \u2013 praised like sour beer. No matter how you turn it: it's embarrassing for Redmond, but I'd say 'and it's typical'. What's your opinion?<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Windows 10 Windows 10 (but also Windows 8.x) use Live tiles in Apps to display content in the Start menu. German security researcher Hanno B\u00f6ck was able to takeover the subdomain for the corresponding service and was able to display … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[78,69,194],"class_list":["post-9479","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-app","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/9479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=9479"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/9479\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=9479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=9479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=9479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}