Skip to main content

Exchange/Outlook autodiscover bug exposed 100,000+ email passwords

posted onSeptember 24, 2021
by l33tdawg
Arstechnica
Credit: Arstechnica

Security researcher Amit Serper of Guardicore discovered a severe flaw in Microsoft's autodiscover—the protocol which allows automagical configuration of an email account with only the address and password required. The flaw allows attackers who purchase domains named "autodiscover"—for example autodiscover.com, or autodiscover.co.uk—to intercept the clear-text account credentials of users who are having network difficulty (or whose admins incorrectly configured DNS).

Guardicore purchased several such domains and operated them as proof-of-concept credential traps from April 16 to August 25 of this year:

    Autodiscover.com.br
    Autodiscover.com.cn
    Autodiscover.com.co
    Autodiscover.es
    Autodiscover.fr
    Autodiscover.in
    Autodiscover.it
    Autodiscover.sg
    Autodiscover.uk
    Autodiscover.xyz
    Autodiscover.online

A web server connected to these domains received hundreds of thousands of email credentials—many of which also double as Windows Active Directory domain credentials—in clear text. The credentials are sent from clients which request the URL /Autodiscover/autodiscover.xml, with an HTTP Basic authentication header which already includes the hapless user's Base64-encoded credentials.

Source

Tags

Security

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th