Exchange/Outlook Autodiscover Bug Spills $100K+ Email Passwords

Threat Post -

Hundreds of thousands of email credentials, many of which double as Active Directory domain credentials, came through to credential-trapping in clear text.

Guardicore researcher Amit Serper has discovered a severe design bug in ’s autodiscover – a protocol that lets users easily configure applications such as Outlook with just email addresses and passwords.

The has caused the Autodiscover service to nearly 100,000 unique login names and passwords for domains worldwide, Serper said in a technical report released this week.

“This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same , they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire,” he said.

“Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs [top-level domains],” Serpa wrote.

The design flaw causes the protocol to leak web requests to Autodiscover domains outside of the user’s own domain if they’re in the same TLD –

Read More: https://threatpost.com/exchange-outlook-autodiscover-bug-spills-100k-email-passwords/175004/