Microsoft lost control over the Windows Tiles domain and someone took it
Microsoft introduced Tiles in the Windows Start Menu and Start page when it launched the Windows 8 operating system. Designed to add a dynamic note to the previously static program, service and website links by supporting options to load new tile content regularly, it was a feature that never saw broad adoption by users of Windows.
Many were only exposed to the default list of tiles that Microsoft added to Start profiles; this did not prevent Microsoft from adding support for Live Tiles to Windows 10 as well. Websites and services could support the feature as well so that users who pinned these to Start would receive updated tiles whenever new content became available. While tiles are on their way out, they are still supported in all recent versions of Windows.
A story on German computer site Golem (in English) describes how Golem got its hands on a domain responsible for Tile content delivery to Windows systems because Microsoft failed to protect properly against what is called a subdomain takeover attack.
The takeover gave Golem full control over the content that it delivered to user systems;Â Windows 8 and 10 users can pin supporting websites to Start to receive updates when new content is published.
Golem noted that sites like Engadget, Mail.ru, or the major German news sites Heise or Giga, supported tiles just like many others.
How the attack was carried out
The host responsible for delivering data to Windows devices was notifications.buildmypinnedsite.com; Microsoft appears to have abandoned the domain and while it redirected it to a subdomain of Azure, never registered it with Azure. Golem managed to register the subdomain using a regular Azure account and added corresponding host names to take full control over the Tiles service used to deliver content to user devices.
The magazine contacted Microsoft about the issue but did not receive a response according to the article. It noted that the host received a "decent amount of traffic" and that Golem would not keep the host registered permanently because of running costs.
Golem stopped the web app in the meantime, it returns a 403 this web app is stopped error now so that manipulated content cannot be delivered to user devices at the time.
Windows users may want to deactivate website live tiles (see this tutorial for Windows 8 Live Tiles) if they use any as a consequence, and website owners may want to drop support for the feature as well to protect against potential abuse.
Closing Words
I never thought much of Live Tiles on desktop versions of Windows. While some functionality was appreciated, e.g. getting an up to date weather report by opening Start, most of the functionality did not make much sense on the desktop in my opinion.
A scenario like this should never happen in my opinion, especially not if it has the potential to affect customers negatively.
Now You: What is your take on Live Tiles or dynamic tiles in general?
I never liked those tiles. Likewise, IMO the start menu has sucked in Windows 8 and 10.
In Windows 10 I turn off as much of the start menu functions and apps I can, and avoid using it altogether.
I simply make my own shortcuts to all I need, categorized in my own folders, the way I like.
Also, to make Window 10 something I can put up with, I use O&O AppBuster, O&O ShutUp10, Ultimate Windows Tweaker, Winaero Tweaker, Classic System Configuration, Classic Task Manager, Geek Uninstaller, and more.
Too bad Mircosoft can’t seem to make a simple, modern OS that isn’t bloated with useless crap that it forces on us.
That said, I’m at least glad they are revamping Edge with Chrome, but I’m not expecting much.
Windows 10 sucks!
Beyond the snark I posted, the fact that this could have happened at all shows MS doesn’t have control over their OS. Speaks volumes about why Windows Update is so hosed.
Windows still suffers from the killed by themselves attempt at making a common phone desktop and touch screen interface. Which they apparently forgot about, then began brewing Win 10, which is really…middling.
Good thing MS wasn’t making transportation equipment in the Win 8 era, their cars would have pedals and chains so bike riders would recognize them as MS and their bikes would all have doors and power steering! Neither would work right.
The junk you can sell when your market is captive.
No, tiles on a desktop, except for touchscreens are stupid; live tiles are like a nightmare version of clippy, distracting and pointless. Hmmm, didn’t all these garbage features start with clippy?
Wow, clippy recently returned for a while:
https://www.theverge.com/2019/3/22/18276923/microsoft-clippy-microsoft-teams-stickers-removal
First thing I do on any OS install is remove tiles, MS apps and install classic shell.
Le Postmeritocracy
Hope some hacker destroys most of the windows installs through thee “””tiles”””
Its time Microsoft gets rid of tiles. Its broken most of the time in Windows 10. The people making decisions on Windows 10 has no talent.
Win 8.1/10’s Metro Tiles are ugly and not intuitive or user-friendly. Win XP/Vista/7’s icons were much better.
……. Thank the stars Win 10 Mobile and its ugly Metro Tiles died. Hopefully, Win 10 in its existing form(= forced auto-updates and Telemetry) will die as well.
“Designed to add a dynamic note to the previously static program, service and website links by supporting options to load new tile content regularly…”
I’ve read this eight times now, and can obly conclude that it’s a mistake.
Windows 10 start menu is absolutely garbage. It still feels like it was made by college students just starting code. Microsoft didn’t even try to make it usable. They should scrap the current start menu and use Startisback. The computer world would be a better place if they did.
@Michael Crutchfield: “Windows 10 start menu is absolutely garbage”
I share your dislike of the Win 10 start menu. Replacing it with one of the more reasonable ones is an essential part of making Win 10 as close to tolerable as possible.
Remember how micro$oft kept telling that WinVista/Win7 gadgets were not secure enough and Live Tiles were the future? lol
i imagine he’s talking about how you have to turn off each individual tile (if you do right click) eg. turning it off for weather doesn’t turn it off for calender.. so what happens to the ones that are not pinned (does that mean they aren’t actually tiles, nevermind life tiles, so irrelevant?)
I have used Open Shell Menu (and its precursor) since I got Win 10. I could not stant the ugly tile interface and the lack of useful functionality.
“What is your take on Live Tiles or dynamic tiles in general?”
The concept of live/dynamic tiles has been around for a very long time now in various forms on various desktops. I can understand how some people may find them useful. I never have, personally. They’re just a distraction and a waste of CPU cycles for me.
@Martin What about tiles on not on the start menu?
The option to “turn live tile off” doesn’t show unless you pin one to start, like “Feedback Hub” for example.
I too use the weather tile, set to large, because I can’t find a gadget that works as well. I’d much rather have it pinned to my desktop on the 2nd monitor so, turning off live tiles system wide is not a desirable option at this time.
PS “Gadget” = Desktopgadgets Revived.
I know it looks cool but how hard is it to goto wunderground using a browser, it takes all of 3 seconds for me.
The issue is none anymore right now as the domain is returning the error. Is that what you meant?
All live tiles are on by default until manually turned off.
I’m wondering if tiles that have the live tile function but have never been pinned to start still receive data. (regardless of where they try to get the data from or if it’s successful)
Personally never liked live tiles. It looks like a design concept from a kid that’s uses his computer mostly for games not business. I remove them.
These tiles were all about shoehorning advertising into your desktop anyway.
Damn, how dumb is Microsoft to not use the subdomain.microsoft.com or subdomain.gfx.ms, but instead go for an idiotic domain name where they do not control the top level domain.
To be honest this is something we came to expect since they went for racial diversity instead of skills.
@ noname
Yes, agree. Tech jobs should be given out based on merit (= skills and talent), and not based on race or sex/gender (= racial diversity and feminism or woman-power are White liberal politics that pander for votes from the minorities and narrow-interest groups)
@ Adam Laceky ……. No, in fact it is racist for a tech business to hire people based on race, whether it’s to favor the White, Black, Brown, Yellow or Grey race. It is also sexist to hire people based on sex/gender.
Why do the White liberals not demand for more Whites, Browns and Yellows in the multi-billion NBA or NFL business.?
@AnorKnee Merce
They know Whites, Browns and Yellows etc would get creamed in full public view whereas in IT workers names/faces are not on public view and no one can point a finger and say:
YOU LOST US THE GAME.
Good Lord, that’s racist.
@noname: “how dumb is Microsoft to not use the subdomain.microsoft.com or subdomain.gfx.ms”
This isn’t really a Microsoft-only thing. For better or worse (worse, in my opinion) it has fallen out of fashion to use subdomains generally.
Perhaps not racial diversity, but rather using cheap resources of dubious ability. This is something all too many companies are doing and we keep seeing the results. Not sure I understand the thinking though. Pay 1/3rd the cost, but take 4 times as long, and turn out a very poor result that the end user is unhappy with.
Net result: higher cost, late delivery, decimated customer satisfaction
Yep, that sounds like a winning strategy.
This has nothing to do with racial diversity and everything to do with mis-management and lack of attention to details.
I wish there was a serious competition to Microsoft in the corporate and cloud business, so they would care about innovating their end user products.
You seriously think they’ve no competition in the cloud? Have you not heard of Amazon?