Microsoft Live Account Credentials Leaking From Windows 8 And Above

Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).

The bug itself seems to be present in all Windows systems since Windows 95 / NT, although only Windows 8 and above are effectively compromised. To see if your machine is affected, you may want to check the public demonstration of the exploit, set up by the guys from [Perfect Privacy] and based on [ValdikSS] original work.

pp-leak-evilhacker
The exploit as demonstrated by Xiaoran Wang et al. in the white paper.

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Even though the original issue exists and is known since more than two decades now, its severity has crept in only lately. Back in 1997, the attacker would have only obtained your local Windows login data, but in Windows 10, the default login method is the user’s Microsoft Live account. An attacker may have to resort to GPU-assisted hash-cracking to retrieve the password from the NTLMv2 hash (or even not), but the result can be as thorough as full compromise, including the mentioned Microsoft services and even remote access.

To mitigate, use a firewall, strengthen your Microsoft Live account password and avoid using Microsoft products such as Edge/Spartan, Internet Explorer (just saying..) and Outlook, as well as VPN connections over IPSec, which may leak VPN credentials in the same way. Firefox and Chrome are not affected.

62 thoughts on “Microsoft Live Account Credentials Leaking From Windows 8 And Above

      1. Funny story – I followed this link to the berlandhope site, and that’s how I found out my Ugly SMD Adapters have been written up on HaD today! I just happened to see the headline on their site while exploring the unbelievable fraud there. That’s really a problem.

        1. This is probably a SEO site, like part of a really crappy PBN or something. It’s not really a real website though, it’s just sort of there and on autopilot probably reposting from an aggregated RSS feed.

      1. unbelievable ? not so much. HaD bloggers themselves don´t create content, but aggregate content created from other people, without asking their consent to publish it, so what ?

        1. This bertlandhope website appears IMO to exist only to sell advertising and steal logins + passwords from commentators.
          And it does it using blatant copy-paste with zero credit to the original ‘blog post’.

      2. I’m glad I’m not the only one who thinks this behavior sucks.

        It’s been happening a lot in the last few months. I’m not sure if that’s a recognition of how awesome the Hackaday writers are, or something else. I like to think this is a problem you only have when the articles are awesome :-D

      1. But it’s not the hackaday that we all know and love. It was all about cutting down woods, building churches out of discarded materials, and exploiting one of pokemon go’s biggest cyber-vulnerabilities by binding down a phone to a fan’s propeller and letting it spin around.

        http://hackaday.com/2016/07/28/log-splitters-hacking-wood-for-heat/

        http://hackaday.com/2016/07/22/one-man-spends-53-years-and-builds-a-cathedral/

        http://hackaday.com/2016/07/18/pokemon-go-egg-incubator-takes-your-eggs-for-a-spin/

          1. Yep, and it’s so juicy. MS Account is used for, let’s see… Skype, XBox Live, Outlook.com, Office 360, MSN Messenger, Bing, Windows Phone, OneDrive, Microsoft Store… Everything pwned after visiting a website. naice.

        1. the mistake is to think that this is a warning for the users. this is a hacking site, it is more like a tutorial or “how to” for inspiring the hackers. Why only MS ? maybe the media is biased and trying to manipulate us in a certain way. but you should feel to hack Android, Linux and MacOS as well.

        2. HaD doesn’t cover all of Microsoft Live vulnerabilities. It is treated as any other vulnerabilities touching other systems. And there is article about vulnerabilities touching MacOS/Linux/Android/Facebook/Twitter/Whatsapp and even more. Check the tags associated with this article.

    1. Funny, I’ve never had IE “crammed down my throat” and I’ve been a Windows user since Windows 3.0 came out. Windows 10 is not different, if you want to use something other than IE (or “Edge” as they’re calling it now), simply install your browser of choice and set it as your default.

        1. Yup, I do remember that. Funny how Apple was never sued for doing the exact same thing…
          I also remember having no trouble whatsoever using other browsers on the Windows versions that were in use at that time. I think I used Netscape back then. No one was “cramming IE down my throat” or pressuring me to use it.

    1. Microsoft can’t afford to support all there “supported” Windows versions. They will continue to give away Win10 until the win7/win8 group is small enough to neglect. Microsoft is hell-bend on making there software rent-only, so if you buy now, you will end up paying twice.

    1. I think 19 years probably satisfies most people’s standards for responsible disclosure. The only “new” thing about this vuln is that Windows now uses Live accounts for login by default. Meanwhile untold scores of Active Domain logins could have been leaked over the last two decades. (I’m assuming that’s what would happen if you’re on a domain account.)

  1. It’s your own fault. Windows was never designed to be connected to a network (let alone anything like the internet), and despite Microsoft and other Windows software suppliers making it almost impossible to run (update, activate) there software without internet connection, it still isn’t and maybe never will.

  2. That might explain why MS pushed so many updates and patches that are related to SMB, Netbios, shares etc last month.
    Most of them cause pain in the a$$ in enterprise.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s