Someone who bought typos of Windows.com ended up with 200,000 visitors in two weeks

There was an interesting story on arstechnica today that I thought was worth sharing with all of you. Before I share the story I’ll just mention that I’m not a fan of typo domains, don’t own any, don’t plan to. And as you’ll see, this story isn’t about a typo-squatter per-say, instead it’s about a researcher who decided to run an experiment and got some pretty interesting results.

The idea was a simple one – register variants of windows.com that were one bit flip away from the actual domain. Here’s the general reason why this happens and what it means:

arstechnica
An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft’s windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from crashes.(Source – arstechnica)

There are 32 possible bitflipped domains and the researcher here, who decided to go by “Remy” found that 14 of the 32 were actually just sitting out there available to hand register.

I was surprised to hear this because normally companies scoop up these names, especially companies like Microsoft…and especially when their computers can perform tasks that send traffic to them. But that wasn’t the case, and Remy got them and with it came a surprising amount of traffic:

Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising.

“The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it’s after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows,” he wrote in a post summarizing his findings. “As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken.”(Source – arstechnica)

I don’t want to re-write the whole article here so I’ll leave it for you to read more if you find it interesting. One additional piece of data that seems to come in after the article was written is that there’s no real way to prove the traffic Remy got on these domains came from bitflips. The reality is, these are typos of Windows.com and well, there are a lot of people typing Windows.com and probably code out there with it spelled wrong as well.

Either way, it’s crazy to think that someone went out and hand registered 14 domains for $126 and suddenly had 400,000 visitors a month coming his way 🤯

Morgan Linton

Morgan Linton