Subdomain Takeover: Microsoft loses control over Windows Tiles

The Tiles service Microsoft introduced with Windows 8 has never been particularly successful. Microsoft has disabled a web service for the system but forgot to delete nameserver entries. This made the host vulnerable for a subdomain takeover attack - allowing us to control the contents. By doing so we were able to show arbitrary pictures and text within the tiles of other web pages.

The tiles can fullfil a number of functions. They allow web pages to display news on the tiles with a special meta tag. This function is called Windows Live Tiles. Web pages which support this service can be pinned as a tile.

Microsoft service converts RSS feed to Tiles

With a special XML-based file format, web pages can control the content of the tiles; for example, they can show the latest news. To make it easier for web pages to provide this function, Microsoft ran a service that automatically converted RSS feeds into that special XML format.

The web page that allows creating the corresponding meta tags is still online, although the service no longer works. The host that should deliver the XML files - notifications.buildmypinnedsite.com - only showed an error message from Microsoft's cloud service Azure.

The abandoned host was vulnerable for a so-called subdomain takeover attack. The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure.

Azure subdomain could be re-registered

The takeover works via a so-called CNAME nameserver entry. It redirects all requests for the host to the unregistered Azure subdomain. With an ordinary Azure account, we were able to register that subdomain and add the corresponding host name. Thus we were able to control which content is served on that host.

Web pages using the defunct service from Microsoft included the Russian mail provider Mail.ru, Engadget, and German news sites Heise Online and Giga. Web pages that include these meta tags should remove them or, if they want to keep the functionality, create the corresponding XML files themselves.

Microsoft does not answer

We have informed Microsoft about this problem but haven't received a reply yet. We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs to hold the domain and block the corresponding subdomain even if we stop the web service and don't provide any content. Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks.

Windows Tiles were introduced on the start screen of Windows 8 and moved to the start menu in Windows 10. They have never been particularly popular. The web page Windowscentral speculated in January that the Tiles may be deprecated soon. The upcoming Windows Lite is rumored to come without Tiles already.

Update from April 18th, 11:56

Microsoft has now deleted the nameserver record and we no longer control the subdomain. We still haven't received a reply from Microsoft.