Security researchers warn that a flaw in the Windows OS could leak Microsoft account passwords and VPN credentials if a Windows user uses VPN to browse the web. The flaw is an old error in Windows in the way it handles shared network resources validation procedures.
An attacker can utilize the flaw by embedding a link to an SMB resource, or network share, in an email or website, which is then accessed via Microsoft Outlook. The attacker can craft the link and conceal it in the image tags in the SMB resource. Also, the attacker can insert the link to an SMB resource they host in their network instead of putting a link to the appropriate network share.
If the user opens the link via Microsoft Edge, Microsoft Outlook or Internet Explorer they automatically send the login credentials of the Microsoft accounts to the attacker’s domain. The reason this happens is because of the method Windows uses to authenticate shared networks.
It is true that the Microsoft account password will not appear to the attacker in plain text but NTLM hash. Unfortunately, the NTLM hash is easy to crack, that much we are sure.
But do not for one second think this is a new discovery. The tech world and Microsoft have known this for ages. Since 1997 the issue has been discussed in security conferences, but Microsoft has not come up with a concrete solution.
In the past, the flaw was not an issue at all. Back then, Windows used localized usernames and passwords to grant users’ access to the PC. But since Windows 8, Microsoft allows users to log into their PCs using the Microsoft accounts. In Windows 10, this form of authentication is the default. When getting started on the OS, it requests you to sign in using your Microsoft account.
Nowadays, all Microsoft products ask you to sign in using your Microsoft account. The old flaw that they have not fixed allows an attacker to access the login credentials to the Microsoft account. Since you use one Microsoft account for all Microsoft products, they will consequently access your Xbox, Skype, Bing, OneDrive, Azure, Office 365 and much more, says ValdikSS of ProstoVPN.
The worst part is that, if the user accessed the fake SMB resource via VPN connection, the VPN credentials leak too. Therefore, the attacker also gets access to the user’s VPN account. Microsoft has since fixed most of the vulnerabilities in the network share validation system. But the company has not fixed the flaw that allows sending of login credentials to an SMB server.
Currently, solutions to this problem include blocking the transmission of outbound SMB connections on the Windows Firewall or stop using your Microsoft account to access your PC.