Michel Gaschet, a researcher with NIC.gp disclosed the problem during an interview with ZDNet. He says Microsoft subdomains are frequent. While he has reported the problematic sites to Microsoft, he says the company has either ignored him or fixed sites without response. However, only around 10% of the Microsoft subdomains have been fixed, Gaschet says. In total, the researcher has disclosed information on numerous subdomain vulnerabilities, including:
21 msn.com subdomains 142 misconfigured microsoft.com subdomains 117 further microsoft.com subdomains
“The root cause/mistake is a forgotten DNS entry pointing to something that doesn’t exist anymore, or never existed, like a typo in the DNS entry content,” Gaschet told ZDNet. A bad actor could exploit these misconfigurations to hijack a subdomain and launch attacks to find user login credentials. This could affect Microsoft employees or users.
Avoiding the Issue
Gaschet believes Microsoft is not focusing on fixing the subdomains because it does not cover such hijacking under its bounty program. In other words, the company dosen’t pay people who discover these issues and so researchers are not looking for them.
This kind of stuff, this is what you get by putting subdomain takeover out of scope, and don’t fix critical subdomain takeover from good peoples, rarely thanks them and generally not respond to them. Great job, @msftsecresponse 👏 — Michel Gaschet (@Michel_Gaschet) February 18, 2020 On Twitter, Gaschet criticized Microsoft’s response team in regard to the issue: “This kind of stuff, this is what you get by putting subdomain takeover out of scope, and don’t fix critical subdomain takeover from good peoples, rarely thanks them and generally not respond to them. Great job.”