Microsoft Exchange Autodiscover Flaw Leaks Thousands of Credentials

A “design flaw” in Microsoft Exchange’s Autodiscover protocol allowed researchers to entry 372,072 Windows area credentials and 96,671 distinctive units of credentials from purposes corresponding to Microsoft Outlook and third-party e mail purchasers.

The discovery comes from Amit Serper, space vp of safety analysis for North America at safety agency Guardicore. The credentials being leaked are legitimate Windows area credentials used to authenticate to Microsoft Exchange servers. The supply of the leaks is comprised of two points, in line with Serper. They embody the design of Microsoft’s Autodiscover protocol, particularly the “back-off” algorithm, and poor implementation of this protocol in some purposes.

Autodiscover is a function that enables automated e mail server discovery and supplies credentials for correct configuration. Serper says the design flaw causes the protocol to leak internet requests to Autodiscover domains which can be exterior of the consumer’s area however in the identical top-level area.

“This is a extreme safety subject, since if an attacker can management such domains or has the flexibility to ‘sniff’ site visitors in the identical community, they’ll seize area credentials in plain textual content,” Serper says in a weblog put up on the findings. “Moreover, if the attacker has DNS-poisoning capabilities on a big scale (corresponding to a nation-state attacker), they might systematically siphon out leaky passwords by means of a large-scale DNS poisoning marketing campaign primarily based on these Autodiscover TLDs.”

Guardicore’s full report on the flaw, together with suggestions for mitigation, might be discovered here.