Microsoft Was Routing Example-Domain Traffic To a Japanese Cable Company for Five Years (arstechnica.com)
- Reference: 0180665776
- News link: https://it.slashdot.org/story/26/01/27/1724230/microsoft-was-routing-example-domain-traffic-to-a-japanese-cable-company-for-five-years
- Source link: https://arstechnica.com/information-technology/2026/01/odd-anomaly-caused-microsofts-network-to-mishandle-example-com-traffic/
The misconfiguration meant anyone attempting to set up an Outlook account using an example.com email address could have inadvertently sent test credentials to Sumitomo Electric's servers. Under RFC2606, example.com resolves only to IP addresses assigned to the Internet Assigned Names Authority. Microsoft confirmed it has "updated the service to no longer provide suggested server information for example.com" and said it is investigating.
Security researcher Dan Tentler of Phobos Group noted the company appears to have simply removed the problematic endpoint rather than fixing the underlying routing -- "not found" errors now appear where the JSON responses previously occurred. Tinyapps.org, which noted the behavior earlier this month, said the misconfiguration had persisted for five years. Microsoft has not explained how Sumitomo Electric's domain entered its configuration. The incident follows 2024's revelation that a forgotten test account with admin privileges enabled Russia-state hackers to monitor Microsoft executives' email for two months.
[1] https://arstechnica.com/information-technology/2026/01/odd-anomaly-caused-microsofts-network-to-mishandle-example-com-traffic/
Well done (Score:2)
Haha. Microsoft -- the absolute bastions of security.
Re: (Score:2)
I wonder what they are smoking.
Monkeys Could Fly Out My Butt (Score:2)
Such a convoluted and manufactured premise.
But the "security" company got their name in the news. So, they've got that going for them.
If you want passwords, there are plenty of lists available for free and for sale. There's no need to go to all this trouble.
Might want to see a proctologist about that (Score:2)
Stupid convoluted insecurities are how those lists get populated in the first place.
RFC 2606 (Score:2)
I checked out [1]RFC 2606 [rfc-editor.org], and there is nothing there about using IANA assigned IP addresses (in case of IPv6, it's 2001::/23). It would seem to me that the most appropriate IP address to use for example.com would be 2001:db8:1:1::0af5, since one would be mapping example.com to an address from the reserved space for examples in IPv6
Sorry, I don't know if there is an equivalent block in IPv4 for documentation purposes like the 2001:db8::/32. The only IANA assigned addresses have 0 in the first byte of an IP
[1] https://www.rfc-editor.org/rfc/rfc2606
Re: (Score:3)
The RFC states the following:
6. DNS server operators SHOULD be aware that example names are
reserved for use in documentation.
7. DNS Registries/Registrars MUST NOT grant requests to register
example names in the normal way to any person or entity. All
example names are registered in perpetuity to IANA:
Re: (Score:2)
Never say anything private when you think no one is listening otherwise you deserve to have everyone know your secret?
Because no worthwhile human ever makes inane mistakes; even when they should be able to rely on a multi-billion dollar corporation to follow a specification...
In related news ... (Score:2)
... Slashdot (or its advertisers) seem to be loading from known scam sites. error-report.com being the primary example. And attempting to follow that trail who-knows-where leads me to another "evil" page, html-load.com. Both of which (being scam sites) have been blocked by my ISP (thank you very much).
I understand the link between these sites and ad-blocker walls. But there are a couple of issues: 1) I'm not running an ad blocker. That's my ISP doing the blocking, so I can't "turn it off". 2) Why, upon de
Re: (Score:1)
Disable javascript on slashdot and all of your dreams will come true...
Re: (Score:2)
> Disable javascript on slashdot
It's not Slashdot loading this stuff directly. It's the ad sites.
It's also not all JavaScript. Some is broken CSS and remote styles.
Re: In related news ... (Score:2)
My dream includes being able to see moderation details
misconfiguration on Microsoft DNS servers? (Score:2)
I'm guessing someone either requested or accidentally took the initiative to add a C-Name pointing to the Japanese domain name. Normally this would be considered a small mistake and non service impacting... I disagree with the cybersecurity risk of someone using a fake account@example.com with real passwords. That seems like an odd concern (unless I'm missing something)