Security News > 2021 > September > Microsoft Exchange Bug Exposes ~100,000 Windows Domain Credentials

An unpatched design flaw in the implementation of Microsoft Exchange's Autodiscover protocol has resulted in the leak of approximately 100,000 login names and passwords for Windows domains worldwide.

"This is a severe security issue, since if an attacker can control such domains or has the ability to 'sniff' traffic in the same network, they can capture domain credentials in plain text that are being transferred over the wire," Guardicore's Amit Serper said in a technical report.

The weakness discovered by Guardicore resides in a specific implementation of Autodiscover based on the POX XML protocol that causes the web requests to Autodiscover domains to be leaked outside of the user's domain but in the same top-level domain.

Armed with this discovery and by registering a number of Autodiscover top-level domains as honeypots, Guardicore said it was able to access requests to Autodiscover endpoints from different domains, IP addresses, and clients, netting 96,671 unique credentials sent from Outlook, mobile email clients, and other applications interfacing with Microsoft's Exchange server over a four-month period between April 16, 2021, and August 25, 2021.

The domains of those leaked credentials belonged to several entities from multiple verticals spanning publicly traded corporations in China, investment banks, food manufacturers, power plants, and real estate firms, the Boston-based cybersecurity company noted.

To make matters worse, the researchers developed an "Ol' switcheroo" attack that involved sending a request to the client to downgrade to a weaker authentication scheme in place of secure methods like OAuth or NTLM, prompting the email application to send the domain credentials in cleartext.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/nI_vQihlxnA/microsoft-exchange-bug-exposes-100000.html