When he received an email saying that he was on Microsoft’s list of the 75 most valuable hackers, alongside big names in the computer security industry that he has followed for a long time, Fábio Pires was beyond overjoyed. «I was super happy, especially because I think it’s not relatively easy to get into [na lista]», he confides in an interview with Exame Informática.
To be part of this elite, you must have submitted security flaws in products and services belonging to Microsoft over the last year. The list, revealed during Black Hat, one of the most renowned events linked to cybersecurity, which took place in the USA, places Fábio Pires in 67th position and comes with an additional element: next to his name is a symbol that distinguishes him as a hacker. high effectiveness.
«This in practice means that all the vulnerabilities I submitted were all considered valid and had an impact», explains the 30-year-old Portuguese, who grew up in Marinha Grande, but now lives in London, in the United Kingdom. In total, he reported eight vulnerabilities, but in practice the flaw was just one – one that gave him access to almost 500 subdomains of some of the North American giant’s main products.
The vulnerability in question is known as subdomain takeover and allows a hacker to gain access to a subdomain and use it, for example, in phishing campaigns. In this particular case, Fábio Pires discovered hundreds of Microsoft subdomains associated with some of the American company’s main web addresses, such as microsoft.com, windows.com, office.com and xbox.com, among others.
«They had lots of products with this vulnerability. And when I say products, I mean main sites where the subdomains were poorly configured», he tells us. “The impact is that I, as an attacker, could control more or less 500 Microsoft subdomains.”
In practice, the subdomains found by the Portuguese researcher were “forgotten” by the Microsoft teams, but continued to be correctly configured, with the DNS pointing to external hosting services. If a subdomain was “pointing” to Amazon Web Services, for example, Fábio Pires would simply have to create a bucket on the platform with the name of the subdomain to gain control over it.
And as they were subdomains of brands with a great reputation, this would be the perfect starting point to carry out highly effective phishing attacks. «I can simply send an email to a company saying “a new update for your product has come out, download the file at anycoisa.microsoft.com», he explains. «Even firewalls see this traffic as coming from a website that initially belongs to Microsoft and do not block you. From there you have a huge advantage.”
Many vulnerabilities in the wild
The first time Fábio had contact with the subdomain takeover technique was to resolve a failure in the company he worked for in mid-2018 – called WorldRemit. But when he decided to look for other companies that were exposed to the vulnerability, he found many doors wide open.
At this stage, he already had the help of his colleague Francesco Mifsud to warn all vulnerable companies: Siemens, Avast, Adidas, Royal Bank of Scotland, GitHub, Dell, Lufthansa and Teamviewer were some of the organizations that responded to the alert given by the research duo, correcting the problem. Other reputable companies have been alerted, but corrections have not yet been made. Fábio dedicated almost a month to this process, during which time he received many t-shirts as a form of gratitude, he jokingly recalls.
Now working as mobile application security leader at News UK, one of the largest British media conglomerates and responsible for publications such as The Sun and The Times, the Portuguese says he wants to “continue to grow” and hopes to soon “lead a team” of computer security research.
For now, it’s time to enjoy the rest days he came to Portugal and also enjoy his honeymoon: on the day he gave the interview to Exame Informática, Fábio had just gotten married. The genius Fabio Pires is the son of Carlos Pires, born in the province of Moxico, and Ana Bela Pires, born in Benguela.
Font:Exame/RM/ TPA