Microsoft loses control over Windows Tiles subdomain

Subdomain currently in the possession of a German security researcher, preventing any abuse.
Written by Catalin Cimpanu, Contributor

Microsoft has lost control over a crucial subdomain that Windows 8 and Windows 10 use to deliver RSS-based news and updates to Live Tiles --animated Windows start menu items.

The subdomain (notifications.buildmypinnedsite.com) is currently under the control of Hanno Böck, a security researcher and journalist for German tech news site Golem.de.

Subdomain used by websites to deliver RSS news

The subdomain was part of the buildmypinnedsite.com service that Microsoft set up with the launch of Windows 8, and more specifically to allow websites to show live updates inside users' Start pages and menus.

To take advantage of this new feature, websites could add a meta tag to their source code that allowed Edge users to pin a web page to the Start page in Windows 8 and the Start menu in Windows 10.

Windows Live Tiles Edge menu

On the client-side, when a Windows user opened the Start page/menu, their computer would read the meta tag on the desired site and then load content inside the live tiles.

However, because the Windows Live Tiles service couldn't process the multitude of RSS feed formats, ever since its launch, Microsoft recommended that websites use the notifications.buildmypinnedsite.com subdomain to convert their RSS feeds into a special XML format that the Windows Tiles service would parse and create the animated Live Tiles inside the Start page/menu.

Thousands of websites added this meta tag to their code, in the hopes of taking advantage of a new way to reach their readers.

Windows Live Tiles subdomain
Image: ZDNet

But today Böck said the service no longer works.

"The host that should deliver the XML files - notifications.buildmypinnedsite.com - only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure."

Böck registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply.

"We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said.

"Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.

Any threat actor who takes over this domain can use it to craft malformed XML files that could abuse the Windows Live Tiles service to run code on the computers of users who still have website-based Live Tiles in their Start pages/menus.

Böck is also recommending that websites remove the HTML meta tag from their source code, or provide the specially formatted XML files themselves, without sending users over to the notifications.buildmypinnedsite.com subdomain. Some of the sites using this subdomain include Mail.ru, Engadget, BGR, TenForums, Golem.de, Heise.de, and others.

Windows 10 May 2019 Update: The new features that matter most

More vulnerability reports:

Editorial standards