Windows RDP lets you log in using revoked passwords. Microsoft is OK with that.
1 min read
Summary
A security researcher, Daniel Wade, has reported that even after a user changes their password, the Remote Desktop Protocol (RDP) will continue to trust the previous password, leaving devices at risk.
Wade said this situation is causing a “trust breakdown”, as users assume that changing their password will ensure their old password no longer works on any device.
Once informed of the issue, Microsoft claimed that the situation is due to a “design decision” to ensure that a user account can always log in, and that it is not a security vulnerability.
Microsoft also said it has no plans to change the protocol, meaning devices could be at risk indefinitely.
This is notably the second recent issue with Microsoft’s protocol, after the company admitted that hackers were able to exploit Windows’ RDP to attack uBiome.
This story is a powerful example of the complex nature of cybersecurity, and the assumption that a changing a password will solve all security issues may be a dangerous one.
