August 16, 2016
Your Microsoft Account Credentials May Be Vulnerable
In fact, your Microsoft Account Credentials are almost certainly vulnerable, but until the rise in popularity of Windows 10, it hasn’t been nearly as big an issue as it is today. The unfortunate reality is that Microsoft has known about the flaw in their software that allows this bug to function since 1997, and in all that time, no fix has been offered. Even worse, it doesn’t appear that one will be made available any time in the foreseeable future.
In order to make the exploit work, all a hacker has to do is get you to connect to a SMB share, which can be accomplished simply by posting a link to an image file hosted on a SMB server they control. Once you click the link, your Microsoft Account credentials are going to be automatically passed to the server, and although your password will be hashed, most people don’t use passwords that are overly complex, meaning that almost any password cracker could reveal your password in a matter of seconds.
To make matters worse, a terrifying percentage of people use their Microsoft Account credentials on a variety of other accounts, so once the hacker has the information, he can go fishing, testing to see if the same username and password works to get into your bank account, your credit card accounts, and pretty much any other service you access online.
To add insult to injury, Microsoft had no good information on their website for preventing any of this from happening, which is a real problem, given how hard they’ve been pushing for Windows 10 adoption, and the fact that Windows 10 requires you to log in with your Microsoft Account credentials.
All of this is a recipe for disaster, and unfortunately, the most helpful bit of advice on offer from Microsoft to this point is to steer clear of Internet Explorer and Microsoft Edge for the time being, as those two browsers are more tightly integrated with the Windows OS, and make it even easier to lose control of your machine.