Windows attack can steal your logged-in username and password

Page 1 of 6 123 ... LastLast
    Windows attack can steal your logged-in username and password

    Windows attack can steal your logged-in username and password


    Posted: 02 Aug 2016
    A previously-disclosed flaw in Windows can allow an attacker to steal usernames and passwords of any signed-in user -- simply by tricking a user into visiting a malicious website.

    But now a new proof-of-exploit shows just how easy it is to steal someone's credentials.

    The flaw is widely-known, and it's said to be almost 20 years old. It was allegedly found in 1997 by Aaron Spangler and was most recently resurfaced by researchers in 2015 at Black Hat, an annual security and hacking conference in Las Vegas.

    The flaw wasn't considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts -- which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others.

    Overnight, the attack got larger in scope, and now it allows an attacker to conduct a full takeover of a Microsoft account.

    The flaw works because Internet Explorer and Edge (on Windows 10) allow a user to access local network shares but don't fully block connections to remote shares.

    To exploit this, a hacker has to trick a user into visiting a specially-crafted web page in Internet Explorer or Edge (on Windows 10) that points to their own network share. The browser will silently send usernames and hashed passwords to the network share, which can then be scooped up and stolen...


    Read more: Windows attack can steal your logged-in username and password | ZDNet
    Brink's Avatar Posted By: Brink
    02 Aug 2016

  1. prikker's Avatar
    Posts : 382
    Windows 10 Home
       #1

    Will this be fixed in the anniversary update? Edit: Chrome and Firefox not infected. So no worries here
      My Computer

  2. Layback Bear's Avatar
    Posts : 983
    Windows 7/64 Professional
       #2

    I'm really not sure why a 20 year old hack was not fixed in a brand new operating system.
      My Computers

  3. Winuser's Avatar
    Posts : 6,996
    Windows 10 Pro Insider
       #3

    Layback Bear said:
    I'm really not sure why a 20 year old hack was not fixed in a brand new operating system.
    Does make one wonder. 20 years and no fix.
      My Computers

  4. dmex's Avatar
    Posts : 93
    Windows
       #4

    Isn't this why you can just disable the "Integrated Windows Authentication" option...??

    Integrated Windows Authentication IEInternals

    1. Open Control Panel
    2. Open Internet Properties
    3. Select Advanced tab
    4. Untick "Integrated Windows Authentication"
    5. Click Apply.

      My Computer

  5. AndreTen's Avatar
    Posts : 23,379
    Windows 10 (Pro and Insider Pro)
       #5

    Thanks Dmex for this tip. Problem is, that this comes enabled by default. How many user will know about this?
      My Computers

  6. Borg 386's Avatar
    Posts : 28,797
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition
       #6

    Microsoft won't fix Windows flaw that lets hackers steal your username


    Microsoft won't fix Windows flaw that lets hackers steal your username and password

    A previously disclosed flaw in Windows can allow an attacker to steal usernames and passwords of any signed-in user -- simply by tricking a user into visiting a malicious website.

    But now a new proof-of-exploit shows just how easy it is to steal someone's credentials.

    The flaw is widely known, and it's said to be almost 20 years old. It was allegedly found in 1997 by Aaron Spangler and was most recently resurfaced by researchers in 2015 at Black Hat, an annual security and hacking conference in Las Vegas.

    The flaw wasn't considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts -- which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others.

    Overnight, the attack got larger in scope, and now it allows an attacker to conduct a full takeover of a Microsoft account.
    There's a simple mitigation, according to the group. Don't use Internet Explorer, Edge, or Microsoft Outlook, and don't log in to Windows with a Microsoft account.

    Chrome and Firefox users aren't affected.
    Microsoft won't fix Windows flaw that lets hackers steal your username and password | ZDNet
      My Computer

  7. zooburner's Avatar
    Posts : 348
    Windows 10 Pro
       #7

    So much for windows 10 being secure, not only have they not fixed the issue, that allows a site to steal all your log on information to all your windows devices, but they have created a new additional vulnerable browser that allows it. !!
      My Computer

  8. Winuser's Avatar
    Posts : 6,996
    Windows 10 Pro Insider
       #8

    I don't get it. 20 years and a new browser later and still no fix. To me It's helps confirm why I do not want MS collecting any data about me.
      My Computers

  9. lehnerus2000's Avatar
    Posts : 1,809
    W7 Ultimate SP1 (64 bit), LM 19.2 MATE (64 bit), W10 Home 1703 (64 bit), W10 Pro 1703 (64 bit) VM
       #9

    When some people suggested that using an online login was a risk, "fan boys" shouted abuse at them.

    LMAO now.

    I don't get it. 20 years and a new browser later and still no fix. To me It's helps confirm why I do not want MS collecting any data about me.
    Indeed.

    Just for completeness, this also applies to other corporations (e.g. Adobe, Apple, Google, Sony, etc.).
      My Computer


 
Page 1 of 6 123 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 08:21.
Find Us




Windows 10 Forums