"An Email 'Autodiscover' Bug Is Helping to Leak Thousands of Windows Passwords"

New research shows that shipping companies, power plants, and investment banks are inadvertently leaking thousands of their employees' email passwords due to a design flaw in the Microsoft Autodiscover protocol. Autodiscover is a protocol used to authenticate to Microsoft Exchange servers and to configure client access. This protocol allows the setup of apps on a phone or computer using just an employee's email address and password. It makes it easier to set up an email or calendar app by offloading the work to the server, thus doing away with configuring the app manually. Guardicore researchers acquired Autodiscover domains for some of the most common top-level domains and then set them to listen to leaky requests as they arrive. They were able to identify 340,000 exposed Exchange mailbox credentials hitting those domains. Some companies allow those same credentials to be used for logging onto that domain, posing a risk if abused by a threat actor. According to Guardicore, the credentials were sent over the Internet in plaintext. Another 96,000 Exchange credentials were sent using protocols that are significantly stronger and cannot be decrypted but could still be tricked into sending the same credentials in cleartext. Amit Serper, Guardicore Labs' AVP of security research, developed an attack in which encrypted credentials are bounced back with a request to the app to use weaker security to send the email address and password again, making the app resend the credentials in cleartext. This article continues to discuss the Microsoft Autodiscover vulnerability.

TechCrunch reports "An Email 'Autodiscover' Bug Is Helping to Leak Thousands of Windows Passwords"