Exchange/Outlook autodiscover bug exposed 100,000+ email passwords

arstechnica.com
4 min read
difficult
A flaw in the Autodiscover protocol can expose email passwords to third parties.
Security researcher Amit Serper of Guardicore discovered a severe flaw in Microsoft's autodiscover—the protocol which allows automagical configuration of an email account with only the address and password required. The flaw allows attackers who purchase domains named "autodiscover"—for example autodiscover.com, or autodiscover.co.uk—to intercept the clear-text account credentials of users who are having network difficulty (or whose admins incorrectly configured DNS).

Guardicore purchased several such domains and operated them as proof-of-concept credential traps from April 16 to August 25 of this year:

Autodiscover.com.br

Autodiscover.com.cn

Autodiscover.com.co

Autodiscover.es

Autodiscover.fr

Autodiscover.in

Autodiscover.it

Autodiscover.sg

Autodiscover.uk

Autodiscover.xyz

Autodiscover.online

A web server connected to these domains received hundreds of thousands of email credentials—many of which also double as Windows Active Directory domain credentials—in clear text. The credentials are sent from clients which request the URL /Autodiscover/autodiscover.xml , with an HTTP Basic authentication header which already includes the hapless user's Base64-encoded credentials.

Three major flaws contribute to the overall vulnerability: the Autodiscover protocol's "backoff and escalate" behavior when authentication fails, its failure to validate Autodiscover servers prior to giving up user credentials, and its willingness to use insecure mechanisms such as HTTP Basic in the first place.

Failing upward with autodiscover

The Autodiscover protocol's real job is the simplification of account configuration—you can perhaps rely on a normal user to remember their email address and password, but decades of computing have taught us that asking them to remember and properly enter details like POP3 or IMAP4, TLS or SSL, TCP 465 or TCP 587, and the addresses of actual mail servers are several bridges too far.

Advertisement

The Autodiscover protocol allows normal users…
Read full article