- A design vulnerability in Microsoft Exchange Autodiscover can leak Windows credentials
- The flaw can show the plaintext view of email addresses and passwords
- The research team identified more than 300,000 exposed email credentials in four months
Thousands of Windows passwords are allegedly at risk of an email “autodiscover” bug that could lead to user credentials leaks. Researchers said that they are currently observing the Microsoft Autodiscover due to the discovered vulnerability in design.
On Wednesday, Amit Serper, AVP of Guardicore Labs’ Security Research, published a Microsoft Exchange Autodiscover analysis report. The analysis entitled “Autodiscovering the Great Leak,” explained that the issue in the autodiscover design may allow external servers to have a plaintext view of Windows domain credentials.
Microsoft Autodiscover is an Exchange protocol that helps client applications to automatically configure their Exchange connection. This is done through a company domain hosted remote configuration.
The protocol helps companies set up apps on devices such as computers or mobile phones using an employee’s login credentials. The work is offloaded through a server instead of doing so manually, ZDNet reported.
With autodiscover, apps will automatically look for a certain configuration file in locations familiar to it. The app will notify of a “fail up” once it does not find the file it is looking for.
The design vulnerability not only causes the app to “fail up,” but also goes beyond. Unknowingly, the app communicates with the same top-level domain yet outside the company’s control.
As the app communicates to a domain beyond the company’s control, anyone owning the domain will have the chance to glance at the plaintext view of Windows domain credentials.
The design flaw causes the protocol to locate the configuration on external domains instead of doing it remotely. The worst is that anyone can access the said domains.
Researchers also encountered a similar problem in 2017. In a Shape Security research published that year, the agency explored Autodiscover and its vulnerabilities in mobile email clients. The team fixed the issues with some of the affected apps.
Since Guaridicore Labs acquired the autodiscover domains in April, the team identified 372,072 exposed email credentials such as email addresses and passwords and 96,671 unique credential sets, TechCrunch reported.
“We are actively investigating and will take appropriate steps to protect customers,” said Jeff Jones, Sr. Director at Microsoft. He added that Microsoft intends to reduce unnecessary risk before going public, yet they have been notified only right after the issue was presented to the media, according to ZDNet.