Security News > 2021 > August > Microsoft Exchange ‘ProxyToken’ Bug Allows Email Snooping

Microsoft Exchange uses two websites; one, the front end, is what users connect to in order to access email.
"The front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx," according to a Monday posting on the bug from Trend Micro's Zero Day Initiative.
"For all post-authentication requests, the front end's main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client."
The issue arises specifically in a feature called "Delegated Authentication," where the front end passes authentication requests directly to the back end.
These requests contain a SecurityToken cookie that identify them; i.e., if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end.
Exchange has to be specifically configured to have the back end perform the authentication checks; in a default configuration, the module responsible for that isn't loaded.
News URL
https://threatpost.com/microsoft-exchange-proxytoken-email/169030/
Related news
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails (source)
- Week-long Exchange Online outage causes email failures, delays (source)
- Microsoft Exchange Online outage affects Outlook web users (source)