Security News > 2021 > September > Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials
A flaw in Microsoft's Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances.
If the client doesn't receive any response from these URLs - which would happen if Exchange was improperly configured or was somehow prevented from accessing the designated resources - the Autodiscover protocol tries a "Back-off" algorithm that uses Autodiscover with a TLD as a hostname.
Sensing a potential problem with making credentials available to any old TLD with Autodiscover, Guardicore acquired several variations on that theme: Autodiscover.com.
Between April 16, 2021 and August 25, 2021, Guardicore received about 649,000 HTTP requests aimed at its Autodiscover domains, 372,000 requests with credentials in basic authentication, and roughly 97,000 unique pre-authentication requests.
At Black Hat Asia 2017 [PDF], researchers from Shape Security analyzed Autodiscover client implementations in the Samsung Mail app and the Apple iOS Mail app and found flaws that allowed remote attackers to obtain user credentials via domain name collisions.
The Autodiscover flaw extends beyond Microsoft to third-party vendors who have implemented the protocol in their own products.
News URL
Related news
- Microsoft fixes Outlook clients not syncing over Exchange ActiveSync (source)
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
- US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack (source)
- Microsoft will limit Exchange Online bulk emails to fight spam (source)