- Security researcher Daniel Wade discovers worrying Microsoft RDP feature
- This allows old credentials to be used when logging in
- Microsoft has confirmed it has no plans to change this
Security researcher Daniel Wade has discovered a protocol within Microsoft’s Remote Desktop Protocol (RDP), which allows users to log into machines using revoked passwords.
Wade’s report warns “this isn’t just a bug. It’s a trust breakdown,” reminding Microsoft that people change their passwords trusting that this will “cut off unauthorized access”, making this feature entirely counter-intuitive. Wade cautioned “millions of users—at home, in small businesses, or hybrid work setups—are unknowingly at risk.
Surprisingly, in its response, Microsoft said this behaviour is not a bug – instead calling it, “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.”
A feature, not a bug
Microsoft confirmed the issue did not meet its definition of a security vulnerability, and that the firm has no plans to make any changes to this.
According to Wade’s report, there’s no clear way for end-users to detect or fix the issue on their end either, and Azure, Defender, Entra ID don’t raise any flags, leaving users vulnerable even if they’re taking protective measures.
“This creates a silent, remote backdoor into any system where the password was ever cached. Even if the attacker never had access to that system, Windows will still trust the password,” Wade argues.
Credential stealing and data breaches are far too common, and compromised passwords are a serious risk to businesses and users alike. Research has shown that security attacks on password managers have soared, with attacks growing more frequent and sophisticated.
This means regular password rotation is an important facet of cybersecurity, and best password hygiene practices centre revoking old, reused, or compromised passwords – making this feature all the more confusing and concerning.
Via Ars Technica
