Security News > 2021 > September > Exchange/Outlook Autodiscover Bug Spills $100K+ Email Passwords

Exchange/Outlook Autodiscover Bug Spills $100K+ Email Passwords
2021-09-24 18:46

Guardicore security researcher Amit Serper has discovered a severe design bug in MIcrosoft Exchange's autodiscover - a protocol that lets users easily configure applications such as Microsoft Outlook with just email addresses and passwords.

The flaw has caused the Autodiscover service to leak nearly 100,000 unique login names and passwords for Windows domains worldwide, Serper said in a technical report released this week.

The design flaw causes the protocol to leak web requests to Autodiscover domains outside of the user's own domain if they're in the same TLD - i.e., Autodiscover.com.

Guardicore Labs picked up 11 Autodiscover domains with TLD suffixes that spanned the globe and which are listed below.

Over that four-month period, Guardicore captured 372,072 Windows domain credentials and 96,671 unique credentials leaked out of applications including Microsoft Outlook, mobile email clients and other apps that interface with Microsoft's Exchange server.

Given that Microsoft Exchange is part of Microsoft's "Domain suite" of products, the fact that anybody who has credentials to log in to Exchange inboxes of such businesses - and, in most cases, also to their domain credentials - sets the stage for a world of cybersecurity hurt.


News URL

https://threatpost.com/exchange-outlook-autodiscover-bug-spills-100k-email-passwords/175004/