Hackers can remotely sign-in to your Windows PC, access your Outlook account, and view your Skype messages by exploiting a bug that’s been around since 1997 that Microsoft hasn’t bothered to fix since then.
The bug leaks Microsoft account names and hashed passwords. That’s better than revealing the passwords in plain text — hashed passwords require at least some effort to decipher — but weak passwords could be cracked in just a few seconds. Once that happens, the attacker can access essentially any Microsoft service, and could possibly even remotely sign in to a Windows PC connected to the account.
“To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website,” Hackaday explains. “As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image.”
That’s bad news for anyone who has connected their account to Skype, Office, Xbox Live, OneDrive, and other Microsoft services that can store personal data. But there is some good news: The bug only affects people who use Internet Explorer, the new Edge browser, or Outlook to visit a compromised website. Anyone who uses an alternative web browser or email service is already safe.
Perfect Privacy has set up a website that can help Windows users determine whether their Microsoft account credentials are being leaked to the world. (It also warns that anyone running the test should change their passwords immediately if their credentials are being shared. All it takes is for someone to hack into that site to get a whole lot of valuable logins.)
Earlier this month, France’s National Data Protection Commission warned that Windows 10 compromises user privacy, which means this bug is just another reason not to use Windows 10 without being aware of the risks involved.
Microsoft has not only let this bug affect its customers for almost two decades — it’s also changed Windows in ways that make this vulnerability more devastating. “Back in 1997, the attacker would have only obtained your local Windows login data,” Hackaday writes. “But in Windows 10, the default login method is the user’s [Microsoft account]” which means it now offers total access to someone’s system.