Jump to content

Recommended Posts

Posted

The flaw, which allows a malicious website to extract user passwords, is made worse if a user is logged in with a Microsoft account.

 

3d0ffc6c8f6339abebcae1ffa37e1577.jpg

 

A previously-disclosed flaw in Windows can allow an attacker to steal usernames and passwords of any signed-in user -- simply by tricking a user into visiting a malicious website.

 

But now a new proof-of-exploit shows just how easy it is to steal someone's credentials.

 

The flaw is widely-known, and it's said to be almost 20 years old.

It was allegedly found in 1997 by Aaron Spangler and was most recently resurfaced by researchers in 2015 at Black Hat, an annual security and hacking conference in Las Vegas.

 

The flaw wasn't considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts -- which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others.

 

The flaw works because Internet Explorer and Edge (on Windows 10) allow a user to access local network shares but don't fully block connections to remote shares.

 

To exploit this, a hacker has to trick a user into visiting a specially-crafted web page in Internet Explorer or Edge (on Windows 10) that points to their own network share. The browser will silently send usernames and hashed passwords to the network share, which can then be scooped up and stolen.

 

If passwords are weak, they can be easily unscrambled and used to log in to user accounts.

 

The flaw can also be triggered by sending a trick email to a victim who uses Microsoft Outlook.

 

Perfect Privacy, a virtual private networking (VPN) provider, said in a blog post that VPN connections are also affected.

If a user visits a site while they're connected to a VPN, their credentials will also leak, potentially affecting the anonymity of the user.

 

The group set up a proof-of-exploit page that churns back your username, domain, and hashed password -- which it then tries to crack (if it's an easy-to-guess password, it'll take just seconds).

 

We were able to verify on three computers in our lab using separate disposable Microsoft account logins.

It's not immediately clear where any submitted data goes, so we strongly recommend that you do not submit your own credentials to the site.

 

There's a simple mitigation, according to the group.

Don't use Internet Explorer, Edge, or Microsoft Outlook, and don't log in to Windows with a Microsoft account.

 

Chrome and Firefox users aren't affected.

 

A Microsoft spokesperson suggested that the company would not patch the flaw.

 

"We're aware of this information gathering technique, which was previously described in a paper in 2015.

Microsoft released guidance to help protect customers and if needed, we'll take additional steps," the spokesperson said.

 

 

Source:

http://www.zdnet.com/article/windows-attack-can-steal-your-username-password-and-other-logins/#ftag=RSSbaffb68

76c90dd0e79a714317a8daeecc1584d2.png

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...