Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

IT manager gets certificate for Microsoft domain, tries to report it but gets in trouble

Lucian Constantin | March 19, 2015
The Finnish manager tried to alert the company in January, but the company never got his emails, and later suspended his Microsoft account.

"Of course, not all the decisions I made were smart, but I tried my best," he said, referring to how he handled the investigation and reporting of the issue.

"Through our own investigations, independent from the researcher, we identified and have fixed the misconfiguration that was allowing people to create accounts reserved for Microsoft's use," a Microsoft representative said via email Wednesday.

The Microsoft representative added that it is "standard practice" for the company to disable accounts where there may be a violation of Microsoft's terms of service or where a security risk could be present, and to guide account holders on how to recover access the next time they try to log in. "Through this process, we contacted the researcher and are working with him to restore his account," the representative said.

The IT manager confirmed after Microsoft sent its statement that he regained access to his account.

Administrative email addresses need to be reserved from the start, so that nobody can use them maliciously, said Frans Rosén, co-founder of Web security firm Detectify, via email. Some certificate issuers manually verify domain ownership, but such email addresses, along with those listed in domain whois records, are often accepted for verification by default, making their hijacking really dangerous, he said.

Rosén expressed surprise that Microsoft failed to protect those usernames, saying that this is a fairly commonly known problem for services that allow user-generated email addresses.

Researchers at Detectify recently investigated how forgotten subdomains can be abused by attackers, possibly to obtain SSL certificates which could then be used in man-in-the-middle attacks.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.