Spammers Hacked Microsoft Subdomains and Post Ads

[livebox 39]

 

Security researcher and developer at NIC.gp. Michel Gaschet found at Microsoft serious problems managing thousands of his subdomains. According to him, the company's subdomains can be easily hacked by attackers and used in attacks on both its users and employees.

Over the past three years, Gasket has repeatedly reported to Microsoft about subdomains with incorrect DNS record configurations, but the company either ignored its messages or “silently” fixed bugs, but not all of them. So, in 2017, the researcher notified of 21 vulnerable subdomains of msn.com, and in 2019, another 142 subdomains of microsoft.com. According to Gasket, the company corrected the configuration of no more than 5-10% of the subdomains that he reported.

Until recently, vulnerable subdomains did not cause Microsoft any concern. However, now everything seems to have changed. The researcher identified at least one cybercriminal group hacking Microsoft subdomains in order to publish spam on them. On at least four subdomains, Basket found ads from Indonesian online casinos (portal.ds.microsoft.com, perfect10.microsoft.com, ies.global.microsoft.com, and blog-ambassadors.microsoft.com).

According to the researcher, Microsoft is in no hurry to fix vulnerabilities on its subdomains, since this is not included in the reward payment program for detected vulnerabilities. The problem of hacking subdomains is not part of bug bounty and therefore is not a priority.

 

 

Source: https://www.securitylab.ru/news/505182.php

[0xStrait 39]

Am vazut si eu stirea asta pe Twitter undeva. Nu inteleg de ce o companie gigant cum e Microsoft a inclus o vulnerabilitate de tipul asta ca fiind out of scope.

De exemplu Starbucks plateste $2,000 pentru subdomain takeover.  

Edited February 20 by 0xStrait

[Nytro 3988]

Da, insa conteaza foarte multe numele acelor subdomenii. Nu ar trebui sa fie out of scope, insa payout-ul ar trebui sa fie in functie de numele subdomeniului si riscul pe care il aduce.