Microsoft subdomain takeover

Security vulnerabilities due to resource reuse (subdomain takeover is just one example of this) are rampant and readily exploitable for tons of major companies, especially as cloud providers and SaaS often overlook these as being client responsibilities.<p>Shameless plug, I’ve worked on identifying&#x2F;characterizing these issues on cloud providers: <a href="https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;2204.05122.pdf" rel="nofollow">https:&#x2F;&#x2F;arxiv.org&#x2F;pdf&#x2F;2204.05122.pdf</a><p>It’s only a matter of time before adversaries become more sophisticated at identifying and exploiting these in bulk.

Archive, because it has already been fixed by MS:<p><a href="https:&#x2F;&#x2F;archive.ph&#x2F;DEzVW" rel="nofollow">https:&#x2F;&#x2F;archive.ph&#x2F;DEzVW</a>

Congrats to <a href="https:&#x2F;&#x2F;trufflesecurity.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;trufflesecurity.com&#x2F;</a><p>The email rejection&#x27;s tone is weird.

The shameful thing about this is that I get &quot;subdomain takeover&quot; warning emails from Azure on a regular basis. Microsoft has a ton of automation around this for their customers already.

Isn’t Truffle Security opening themselves up to litigation from this? It’s harmless, but is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?

Is this an example of the attack in the wild? Or what did I just view?

I need to start thinking more critically about my passwords being stored on ms edge. Now!<p>These vulnerabilities are adding so much more fear to.life.<p>I just got done neutralizing lastpass. And that took a while. I started that back in September.

I got to see it in the wild, and it was magnificent. Glad they fixed it, for users I hope it was as holistic as they claimed it would be.

Now it&#x27;s a different kind of broken as HTTP redirects to HTTPS and refuses to connect due to HSTS mismatch.

Wonder if there are any cookies that would be able to access..

Looks like th subdomain hadn&#x27;t been used in about two years:<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20190501000000*&#x2F;http:&#x2F;&#x2F;cseo-coherence.microsoft.com" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20190501000000*&#x2F;http:&#x2F;&#x2F;cseo-cohe...</a>

Again?!? Here an article from 2020.<p><a href="https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;microsoft-has-a-subdomain-hijacking-problem&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;microsoft-has-a-subdomain-hija...</a><p>2019: Microsoft loses control over Windows Tiles subdomain<p><a href="https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;microsoft-loses-control-over-windows-tiles-subdomain&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;microsoft-loses-control-over-w...</a>

I read 2 examples of the links provided in the archive.today. Is this attack possible because the sub domain is provided by a CDN&#x2F;S3 (or public cloud in general)? What if it doesn&#x27;t use any CDN? just plain web server serving the site but no longer available or the web server is down.

Can someone explain this? The link just 404&#x27;s

Windows Store individual links don&#x27;t seem to work for me. I have to search them up in the home page.

Airtight hatchway guys!

Looks like it&#x27;s been fixed. Here&#x27;s the archived page: <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20230107222311&#x2F;http:&#x2F;&#x2F;cseo-coherence.microsoft.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20230107222311&#x2F;http:&#x2F;&#x2F;cseo-coher...</a>

I want to click the red button.<p>so bad.

Don&#x27;t click that red button... ;)