Security News > 2021 > September > Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials

A flaw in Microsoft's Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances.

If the client doesn't receive any response from these URLs - which would happen if Exchange was improperly configured or was somehow prevented from accessing the designated resources - the Autodiscover protocol tries a "Back-off" algorithm that uses Autodiscover with a TLD as a hostname.

Sensing a potential problem with making credentials available to any old TLD with Autodiscover, Guardicore acquired several variations on that theme: Autodiscover.com.

Between April 16, 2021 and August 25, 2021, Guardicore received about 649,000 HTTP requests aimed at its Autodiscover domains, 372,000 requests with credentials in basic authentication, and roughly 97,000 unique pre-authentication requests.

At Black Hat Asia 2017 [PDF], researchers from Shape Security analyzed Autodiscover client implementations in the Samsung Mail app and the Apple iOS Mail app and found flaws that allowed remote attackers to obtain user credentials via domain name collisions.

The Autodiscover flaw extends beyond Microsoft to third-party vendors who have implemented the protocol in their own products.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/22/microsoft_exchange_autodiscover_protocol_found/