Zach Whittaker points out a scary flaw in Windows that allows malicious URLs to gather usernames and passwords of Microsoft accounts. The title of the Article is “Microsoft won’t fix Windows flaw that lets hackers steal your username and password”
Evidently the flaw was discovered in 1997, and relies on Internet Explorer and Edge allowing users to access network shares. When attempting to access a share, those browsers silently sends the username and hashed password.
Of course, since Windows 8 began allowing users to sign in using their Microsoft accounts, the username and password which is sent is the user’s live account info.
How can the danger from this be reduced?
- Don’t follow bad URLs in emails. – Yes, this is always going to be hard to follow especially if you’re responsible for a large user base.
- Use strong passwords. – Please tell me that this is how you handle passwords these days.
Microsoft said that they are “aware of this information gathering technique” and that “if needed, we’ll take additional steps”.