Microsoft no longer owns a subdomain name that needs to ensure that RSS-based news updates are delivered to the Windows Live Tiles start menu in Windows 8 and 10. This can cause a major security issue, reports ZDNet.
According to the techsite, the subdomain name notifications.buildmypinnedsite.com is now in the hands of the German security investigator and journalist Hanno Böck. He recently discovered that the subdomain in question was no longer functioning and only showed an error message from Azure. The host was redirected to Azure, but the cloud platform showed that the subdomain name was not registered there. This made it relatively easy for the security specialist to register the domain name there himself.
Subdomain puhst XML files to Windows Live Tiles
The subdomain name was part of the buildmypinnedsite.com service that the tech giant set up at the time of the launch of Windows 8. This service allows websites to show live updates in the Start pages and menus of Windows end users.
Specifically, web pages can add a meta tag to their source code that allows Microsoft’s Edge browser’s end users to pin that page to their Start Page in Windows 8 and to the Start Menu in Windows 10. When these end users open their Home Page or Menu, the PC or laptop reads the meta tag on the relevant website and loads its contents into the Windows Live Tiles.
The subdomain must specifically ensure that RSS feeds are translated into a special XML format. This XML format should ensure that the Windows Live Tiles service ensures that animated Live Tiles with the desired content appear within the Home page or menu. With this, thousands of websites wanted to take advantage of a new way to bring their content to the attention of the public.
Completely open for hackers
Now that the subdomain name was not registered at Azure, the functionality was wide open for hackers. These were able to develop rogue XML files that would allow the Windows Live Tiles service to run malware code on computers that still have these web-based Live Tiles in their Home Page or Menu, according to ZDNet.
Böck has now informed Microsoft about the security problem, but the tech giant has not yet responded. However, he does want the tech giant to come up with a solution quickly, as he doesn’t intend to keep the registration for long for cost reasons.
Delete meta tag
In addition, the German security specialist advises websites that use this subdomain for uploading XML files to remove the meta tag from the source code of their websites. Also, they can deliver special XML files themselves without having to send end users to the subdomain.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.