Security News > 2020 > March > Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops

Download this update from mybrowser.microsoft.com. Oh, sorry, that was malware on a hijacked sub-domain. Oops
2020-03-04 19:04

Well, you shouldn't have, because the pair were among sub-domains hijacked by vulnerability researchers to prove Microsoft is lax with its own online security.

Now, as we said, Microsoft has loads of these sub-domains, and after a while it just stops updating some of them and abandons them.

To demonstrate the hostnames could be hijacked, they redirected ten of Microsoft's sub-domains, including mybrowser.

All Microsoft has to do is delete DNS entries for sub-domains when decommissioning their servers, or at least consider removing DNS entries for those sub-domains that no longer respond to HTTP requests.

"We will continue to report all vulnerable sub-domains ... otherwise, nobody will report them to Microsoft. It's a great reason why visitors should be careful while visiting Microsoft's websites. If Microsoft doesn't need us, we invite them to scan all their sub-domains and fix all of vulnerable sub-domains."


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/04/microsoft_subdomain_takeover/