"Exchange/Outlook Autodiscover Bug Spills 100K+ Email Passwords"

Guardicore security researchers have discovered a severe design bug in Microsoft Exchange’s autodiscover.  This protocol lets users easily configure applications such as Microsoft Outlook with just email addresses and passwords.  The researchers stated that the flaw has caused the Autodiscover service to leak nearly 100,000 unique login names and passwords for Windows domains worldwide.  The design flaw causes the protocol to leak web requests to Autodiscover domains outside of the user’s own domain if they’re in the same TLD, i.e., Autodiscover.com. Guardicore picked up a slew of those domains and found that researchers could set them up to intercept clear-text account credentials for hapless users experiencing network difficulties or whose admins goofed on configuring DNS.  The researchers noted that this flaw is a severe security issue. If an attacker can control such domains or sniff’ traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire.  The researchers also stated that if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically siphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs (top-level domains).  The flaw has not been patched, and Microsoft Senior Director Jeff Jones stated that Guardicore disclosed the flaw publicly before reporting it to the company.  This is not the first time that the flaw has been publicly reported.

Threatpost reports: "Exchange/Outlook Autodiscover Bug Spills 100K+ Email Passwords"