Security News > 2021 > September > Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years

Microsoft Exchange clients like Outlook have been supplying unprotected user credentials if you ask in a particular way since at least 2016.

On August 10, 2016, Marco van Beek, managing director at UK-based IT consultancy Supporting Role, emailed the Microsoft Security Response Center to disclose an Autodiscover exploit that worked with multiple email clients, including Microsoft Outlook.

His report received a case number from Microsoft and a reference number from US-CERT. His proof-of-concept exploit code, which affected Outlook, default email apps for Android and iOS, Apple Mail for Mac OS X, and others, consisted of 11 lines of PHP, though he insisted the exploit probably could have been reduced to three lines.

He attached an explanatory PDF with his note, which described the behavior of Microsoft Autodiscover protocol when email client software tries to add a new Exchange account.

Van Beek said he thought it was incredible that Microsoft confirmed the behavior he reported within hours but does not consider it to be a problem.

The Register asked Microsoft via email whether, in light of van Beek's 2016 report and Guardicore's report last week, the IT giant plans to take any steps to address credential exposure and whether it believes its guidance adequately addresses the problem.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/27/microsoft_exchange_autodiscover/