/>
X

Microsoft loses control over Windows Tiles subdomain

Subdomain currently in the possession of a German security researcher, preventing any abuse.
catalin-cimpanu.jpg
Written by Catalin Cimpanu, Contributor on
015-gmail-calendar-in-live-tiles.png

Microsoft has lost control over a crucial subdomain that Windows 8 and Windows 10 use to deliver RSS-based news and updates to Live Tiles --animated Windows start menu items.

The subdomain (notifications.buildmypinnedsite.com) is currently under the control of Hanno Böck, a security researcher and journalist for German tech news site Golem.de.

Subdomain used by websites to deliver RSS news

The subdomain was part of the buildmypinnedsite.com service that Microsoft set up with the launch of Windows 8, and more specifically to allow websites to show live updates inside users' Start pages and menus.

To take advantage of this new feature, websites could add a meta tag to their source code that allowed Edge users to pin a web page to the Start page in Windows 8 and the Start menu in Windows 10.

Windows Live Tiles Edge menu

On the client-side, when a Windows user opened the Start page/menu, their computer would read the meta tag on the desired site and then load content inside the live tiles.

However, because the Windows Live Tiles service couldn't process the multitude of RSS feed formats, ever since its launch, Microsoft recommended that websites use the notifications.buildmypinnedsite.com subdomain to convert their RSS feeds into a special XML format that the Windows Tiles service would parse and create the animated Live Tiles inside the Start page/menu.

Thousands of websites added this meta tag to their code, in the hopes of taking advantage of a new way to reach their readers.

Windows Live Tiles subdomain
Image: ZDNet

But today Böck said the service no longer works.

"The host that should deliver the XML files - notifications.buildmypinnedsite.com - only showed an error message from Microsoft's cloud service Azure," the researcher said. "The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure."

Böck registered this subdomain on his Azure account and is currently sinkholing any requests it receives. He also notified Microsoft of the issue but said the company did not reply.

"We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs," the researcher said.

"Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks," he warned.

Any threat actor who takes over this domain can use it to craft malformed XML files that could abuse the Windows Live Tiles service to run code on the computers of users who still have website-based Live Tiles in their Start pages/menus.

Böck is also recommending that websites remove the HTML meta tag from their source code, or provide the specially formatted XML files themselves, without sending users over to the notifications.buildmypinnedsite.com subdomain. Some of the sites using this subdomain include Mail.ru, Engadget, BGR, TenForums, Golem.de, Heise.de, and others.

Windows 10 May 2019 Update: The new features that matter most

More vulnerability reports:

Related

Launch your IT career with over 225 hours of training on Microsoft 365, Windows & Azure
replace-this-image.jpg

Launch your IT career with over 225 hours of training on Microsoft 365, Windows & Azure

Deals
Microsoft to start nagging Windows 8.1 users in July about January 2023 end-of-support date
endofsupportwin81

Microsoft to start nagging Windows 8.1 users in July about January 2023 end-of-support date

Windows
Microsoft: This out-of-band Windows security update fixes Microsoft 365 sign-in issues for Arm devices
getty-staff-pointing-at-a-computer-in-an-office.jpg

Microsoft: This out-of-band Windows security update fixes Microsoft 365 sign-in issues for Arm devices

Security