Microsoft Live Account Credentials Leaking From Windows 8 And Above - ZVEIL

Microsoft Live Account Credentials Leaking From Windows 8 And Above

by Moritz Walter August 02, 2016

Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).

The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised. To see if your machine is affected, you may want to check the public demonstration of the exploit, set up by the guys from [Perfect Privacy] and based on [ValdikSS] original work.

The exploit as demonstrated by Xiaoran Wang et al. in the white paper.

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Even though the original issue exists and is known since more than two decades now, its severity has crept in only lately. Back in 1997, the attacker would have only obtained your local Windows login data, but in Windows 10, the default login method is the user’s Microsoft Live account. An attacker may have to resort to GPU-assisted hash-cracking to retrieve the password from the NTLMv2 hash (or even not), but the result can be as thorough as full compromise, including the mentioned Microsoft services and even remote access.

To mitigate, use a firewall, strengthen your Microsoft Live account password and avoid using Microsoft products such as Edge/Spartan, Internet Explorer (just saying..) and Outlook, as well as VPN connections over IPSec, which may leak VPN credentials in the same way. Firefox and Chrome are not affected.

Filed under: news, security hacks, slider

Moritz Walter
Moritz Walter


Leave a comment

Comments will be approved before showing up.

Also in In The News

Everyone's A Little Bit Of A Bridezilla — What About You?

by Razmig Messerian November 10, 2019

You don't have to be getting married to know.

View Entire Post ›

Continue Reading

Plan A Wedding And We'll Give You A Netflix Original Rom-Com To Watch

by Razmig Messerian November 06, 2019

Time to tie the knot!

View Entire Post ›

Continue Reading

Your Cell Phone Activity Will Determine When You'll Get Married

by Razmig Messerian November 06, 2019

Continue Reading