Web pages using Live Tiles from Windows 8 should remove meta tag

UPDATED An abandoned news app for Windows 8 can be manipulated to display content of an attacker’s choosing, leaving users vulnerable to nefarious activities including damage to a company’s brand.

The subdomain takeover attack – which essentially occurs when a discontinued service is not deleted properly – stems from the Live Tiles feature of Microsoft Windows 8.

Live Tiles is an interactive app that provides users with snippets of information from their favorite application or website – like the Weather app. Apps and websites that support the feature do so through an XML file, which is created by adding a meta tag to a site’s source code via buildmypinnedsite.com.

Microsoft reportedly disabled the Lives Tiles app in Windows 8 due to its lack of uptake – but forgot to delete its CNAME records, the nameserver entry for subdomains and hosts which utilized the service.

This oversight allowed security researcher and journalist Hanno Böck to control content through the host notifications.buildmypinnedsite.com – the subdomain that allowed apps and websites to add a meta tag to their source code and thus serve live updates to their users.

“The web page that allows creating the corresponding [Windows Live Tiles] meta tags is still online, although the service no longer works,” Böck said in his report for Golem.de, a German technology news platform.

“The host that should deliver the XML files – notifications.buildmypinnedsite.com – only showed an error message from Microsoft's cloud service Azure.”

Böck and his team were able to register the notifications.buildmypinnedsite.com subdomain using a standard Microsoft Azure account and control the content of websites still registered with the Windows Tiles Live service, including Engadget, Mail.ru, and German news sites Heise Online and Giga.

“Web pages that include these meta tags should remove them or, if they want to keep the functionality, create the corresponding XML files themselves,” Böck said, adding that they had informed Microsoft of the issue but had yet to receive a response.

“Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks,” he warned.

A spokesperson from Microsoft told The Daily Swig: “We’ve resolved this issue and the subdomain has been removed.”


This article has been updated to include comments from Microsoft.