Microsoft no longer holds an important subdomain that Windows 10 uses to curate RSS-based news and updates for Windows Live Tiles. Known as notifications.buildmypinnedsite.com, the subdomain is now in the control of German security researcher Hanno Böck.
Windows animated features for Start Menu tiles is a nice OS touch that lets updates arrive on the Windows Live Tiles. As the name suggests, the subdomain was a compartment of buildmypinnedsite.com, which Microsoft launched alongside Windows 8.
The service allows website to create and show live updates inside Windows Start menu tiles. For example, Microsoft Edge users could pin a web page directly into the Start menu on Windows 10 (Start Page on Win8).
This was achieved through a meta tag placed by the website through buildmypinnedsite.com. Users would click the website Start menu tile and Windows would interpret the meta data. It would then show notifications from the site within the Live Tile. Of course, this process was virtually instantaneous on the client side.
It was a nice idea in concept, but Windows Live Tiles struggled with the amount of RSS feed formats it had to handle. This is where notifications.buildmypinnedsite.com came into the equation. Microsoft recommended it because it would convert RSS feeds into XML format that was easier for Live Tiles to handle.
While this became popular with website developers, Böck says the subdomain no longer functions.
“The host that should deliver the XML files – notifications.buildmypinnedsite.com – only showed an error message from Microsoft's cloud service Azure,” he said. “The host was redirected to a subdomain of Azure. However this subdomain wasn't registered with Azure.”
As the subdomain was inactive, the researcher decided to register it through Azure but is blocking any requests. He has warned Microsoft he won't run the subdomain indefinitely. Once it is free it could be abused by bad actors.
“We won't keep the host registered permanently. There's a decent amount of traffic reaching this host and running up costs,” Böck adds.
“Once we cancel the subdomain a bad actor could register it and abuse it for malicious attacks,” he concluded.