A security researcher duo from Vullnerability has revealed the careless attitude Microsoft maintains when it comes to the online security of its products and services.
The concern here is that many of these now-abandoned subdomains can be used by malicious actors to impersonate Microsoft and target innocent users. For instance, one of the sub-domains is identified as mybrowser.microsoft.com, which, in the past, hosted details of its web browser Edge.
The data for this subdomain is stored in an Azure server instance. So, when a user would try to visit mybrowser.microsoft.com, the browser would redirect them to a URL like ‘webserver9000.azurewebsites.net’ after resolving the query from the DNS server.
If we talk about the present time, the said Azure server instance doesn’t exist anymore. But it’s known that Microsoft is quite lazy when clearing DNS records for abandoned sub-domains.
While it won’t bring a digital apocalypse, it creates an opportunity for an attacker who can create a server instance with the same hostname. That’s because the DNS server would still point the user to webserver9000.azurwebsites.net.
Thus, an unsuspecting user visiting mybrowser.microsoft.com won’t know whether the site is malicious or officially maintained by the company. The attacker can take advantage of the situation to set up a clone website and ask users to enter their credentials, hijack browser cookies, and so on.
The researchers have already notified Microsoft about the said loophole, and, since then, the sub-domains in question seem to have been taken down. They listed down some of the sub-domains that they hijacked to show that their discovery is legit.
This is not the first time that such subdomain abuse has been highlighted. However, the researchers point out that Microsoft doesn’t reward subdomain takeover vulnerabilities, which could be a demotivating factor for the researchers.