by Martin Brinkmann on April 17, 2019 in Security, Windows – 13 comments
Microsoft introduced Tiles in the Windows Start Menu and Start page when it launched the Windows 8 operating system. Designed to add a dynamic note to the previously static program, service and website links by supporting options to load new tile content regularly, it was a feature that never saw broad adoption by users of Windows.
Many were only exposed to the default list of tiles that Microsoft added to Start profiles; this did not prevent Microsoft from adding support for Live Tiles to Windows 10 as well. Websites and services could support the feature as well so that users who pinned these to Start would receive updated tiles whenever new content became available. While tiles are on their way out, they are still supported in all recent versions of Windows.
 
 
A story on German computer site Golem (in English) describes how Golem got its hands on a domain responsible for Tile content delivery to Windows systems because Microsoft failed to protect properly against what is called a subdomain takeover attack.
The takeover gave Golem full control over the content that it delivered to user systems; Windows 8 and 10 users can pin supporting websites to Start to receive updates when new content is published.
Golem noted that sites like Engadget, Mail.ru, or the major German news sites Heise or Giga, supported tiles just like many others.
How the attack was carried out
The host responsible for delivering data to Windows devices was notifications.buildmypinnedsite.com; Microsoft appears to have abandoned the domain and while it redirected it to a subdomain of Azure, never registered it with Azure. Golem managed to register the subdomain using a regular Azure account and added corresponding host names to take full control over the Tiles service used to deliver content to user devices.
The magazine contacted Microsoft about the issue but did not receive a response according to the article. It noted that the host received a “decent amount of traffic” and that Golem would not keep the host registered permanently because of running costs.
Golem stopped the web app in the meantime, it returns a 403 this web app is stopped error now so that manipulated content cannot be delivered to user devices at the time.
Windows users may want to deactivate website live tiles (see this tutorial for Windows 8 Live Tiles) if they use any as a consequence, and website owners may want to drop support for the feature as well to protect against potential abuse.
Closing Words
I never thought much of Live Tiles on desktop versions of Windows. While some functionality was appreciated, e.g. getting an up to date weather report by opening Start, most of the functionality did not make much sense on the desktop in my opinion.
A scenario like this should never happen in my opinion, especially not if it has the potential to affect customers negatively.
Now You: What is your take on Live Tiles or dynamic tiles in general?