Page 1 of 6 123 ... LastLast

  1. Joined : Oct 2013
    Posts : 17,485
    64-bit Windows 10 Pro build 15014
       02 Aug 2016 #1

    Windows attack can steal your logged-in username and password


    A previously-disclosed flaw in Windows can allow an attacker to steal usernames and passwords of any signed-in user -- simply by tricking a user into visiting a malicious website.

    But now a new proof-of-exploit shows just how easy it is to steal someone's credentials.

    The flaw is widely-known, and it's said to be almost 20 years old. It was allegedly found in 1997 by Aaron Spangler and was most recently resurfaced by researchers in 2015 at Black Hat, an annual security and hacking conference in Las Vegas.

    The flaw wasn't considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts -- which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others.

    Overnight, the attack got larger in scope, and now it allows an attacker to conduct a full takeover of a Microsoft account.

    The flaw works because Internet Explorer and Edge (on Windows 10) allow a user to access local network shares but don't fully block connections to remote shares.

    To exploit this, a hacker has to trick a user into visiting a specially-crafted web page in Internet Explorer or Edge (on Windows 10) that points to their own network share. The browser will silently send usernames and hashed passwords to the network share, which can then be scooped up and stolen...


    Read more: Windows attack can steal your logged-in username and password | ZDNet
      My System SpecsSystem Spec


  2. Joined : Aug 2015
    Posts : 434
    Windows 10 Home
       02 Aug 2016 #2

    Will this be fixed in the anniversary update? Edit: Chrome and Firefox not infected. So no worries here
      My System SpecsSystem Spec


  3. Joined : Oct 2013
    Nothern Ohio
    Posts : 446
    Windows 7/64 Professional
       02 Aug 2016 #3

    I'm really not sure why a 20 year old hack was not fixed in a brand new operating system.
      My System SpecsSystem Spec


  4. Joined : Jun 2014
    Posts : 4,488
    Windows 10 Pro
       02 Aug 2016 #4

    Layback Bear said: View Post
    I'm really not sure why a 20 year old hack was not fixed in a brand new operating system.
    Does make one wonder. 20 years and no fix.
      My System SpecsSystem Spec


  5. Joined : Sep 2014
    Posts : 84
    Windows
       03 Aug 2016 #5

    Isn't this why you can just disable the "Integrated Windows Authentication" option...??

    Integrated Windows Authentication IEInternals

    1. Open Control Panel
    2. Open Internet Properties
    3. Select Advanced tab
    4. Untick "Integrated Windows Authentication"
    5. Click Apply.

      My System SpecsSystem Spec


  6. Joined : Feb 2016
    Maribor, Slovenia
    Posts : 3,707
    Windows X (various flavours)
       05 Aug 2016 #6

    Thanks Dmex for this tip. Problem is, that this comes enabled by default. How many user will know about this?
      My System SpecsSystem Spec


  7. Joined : Oct 2014
    In a house with a crazy cat trying to kill me
    Posts : 11,459
    Win 7 32, Win 7 64 Pro, Win 8.1 64 Pro, Win 10 64 Education Edition
       05 Aug 2016 #7

    Microsoft won't fix Windows flaw that lets hackers steal your username


    Microsoft won't fix Windows flaw that lets hackers steal your username and password

    A previously disclosed flaw in Windows can allow an attacker to steal usernames and passwords of any signed-in user -- simply by tricking a user into visiting a malicious website.

    But now a new proof-of-exploit shows just how easy it is to steal someone's credentials.

    The flaw is widely known, and it's said to be almost 20 years old. It was allegedly found in 1997 by Aaron Spangler and was most recently resurfaced by researchers in 2015 at Black Hat, an annual security and hacking conference in Las Vegas.

    The flaw wasn't considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts -- which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others.

    Overnight, the attack got larger in scope, and now it allows an attacker to conduct a full takeover of a Microsoft account.
    There's a simple mitigation, according to the group. Don't use Internet Explorer, Edge, or Microsoft Outlook, and don't log in to Windows with a Microsoft account.

    Chrome and Firefox users aren't affected.
    Microsoft won't fix Windows flaw that lets hackers steal your username and password | ZDNet
      My System SpecsSystem Spec


  8. Joined : Jun 2015
    Posts : 260
    Windows 7 (SP1)
       05 Aug 2016 #8

    So much for windows 10 being secure, not only have they not fixed the issue, that allows a site to steal all your log on information to all your windows devices, but they have created a new additional vulnerable browser that allows it. !!
      My System SpecsSystem Spec


  9. Joined : Jun 2014
    Posts : 4,488
    Windows 10 Pro
       05 Aug 2016 #9

    I don't get it. 20 years and a new browser later and still no fix. To me It's helps confirm why I do not want MS collecting any data about me.
      My System SpecsSystem Spec


  10. Joined : Aug 2014
    Australia, Adelaide
    Posts : 1,394
    W7 Ultimate SP1 (64 bit), LM 18.1 MATE (64 bit), W10IP VM, W10 Home
       05 Aug 2016 #10

    When some people suggested that using an online login was a risk, "fan boys" shouted abuse at them.

    LMAO now.

    I don't get it. 20 years and a new browser later and still no fix. To me It's helps confirm why I do not want MS collecting any data about me.
    Indeed.

    Just for completeness, this also applies to other corporations (e.g. Adobe, Apple, Google, Sony, etc.).
      My System SpecsSystem Spec


 
Page 1 of 6 123 ... LastLast


Similar Threads
Thread Forum
Username and Password textbox not showing
Hi Friends, Today my laptop upgraded to windows 10 automatically after i logged into my account if i take the sharing the username and password field is disabled and it is taking my current username and password when i not able to take the RDP it...
User Accounts and Family Safety
Wifi username and password issue
Hi, I have just bought an HP laptop running windows 10. I cannot connect to internet wirelessly as when I select my network connection it requests username and password. (Screen shot attached) I only have a network password for my connection and...
Network and Sharing
Windows 10 want XBOX username and password to log on PC
My son loaded some apps using his XBOX id and now whenever I start up or reboot my PC it wants the XBOX login in information and then list my son's XBOX id as user. There is no other user listed when I boot the system. How to I get rid of his XBOX...
User Accounts and Family Safety
Solved I changed my windows username, password stopped working
I changed my username on Windows 10, and after a while I logged out. Then when I try to log back, it asks for password, but my old password doesnt work. I also tried putting blank password (not writing anything) but that doesn't work either. How...
User Accounts and Family Safety
Username or password incorrect
I've previously run netplwiz from the command prompt to disable the sign in process in Windows 10. 24001 Which worked fine in build 10049 but in 10158 & 10166 I now get this error message 23986 I don't understand how this message can...
User Accounts and Family Safety
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:36.
Find Us
Twitter Facebook Google+



Windows 10 Forums