Thousands of windows credentials leaked in Microsoft Exchange Autodiscover bug
2 min. read
Published on
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more
Key notes
- Security experts have discovered a design flaw in Microsoft Exchange email server.
- The bug has the capability of harvesting important credentials.
- The bug resides in Microsoft Autodiscover protocol.
It would seem that Microsoft users continue having woes when it comes to email-related issues. Just the other day, a bug was reported that had invaded Outlook. Then comes the latest invasion.
According to security researchers, the design flaw is in the Microsoft Exchange Email server which provides a leeway for attackers to harvest Windows domain and app credentials from users.
Protocol
Amit Serper of AVP discovered the bug and after close investigation, it has been found to reside in the Microsoft Autodiscover protocol which is a feature that allows Automatic email server discovery and provides credentials for proper configuration.
The protocol is considered to be crucial and gives admins access in ensuring clients use proper SMTP, LDAP, IMAP and WebDAV among other settings.
Back-off mechanism is the cause
Serper affirms that the back-off mechanism is the cause of the leak as it is always attempting to resolve the autodiscover part of the domain. It always fails making the autodiscover url that is automatically created reach the owner of the domain.
All captured credentials came with no encryption whatsoever in HTTP form. Serper advises users to use more secure forms of authentication such as NTLM and Oauth.
Microsoft is investigating the issue and will revert in due course.
What do you make of the latest bugs dominating emails? Are there ways you are protecting yourself from such vulnerabilities? Share with us in the comment section below.
