Researchers have discovered an Exchange Autodiscover flaw that can be used to steal Windows users’ credentials. Microsoft says it is investigating.
“Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to ‘leak’ web requests to Autodiscover domains outside of the user’s domain but in the same TLD [top-level domain],” Guardicore’s Amit Serper writes of his firm’s discovery. “This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, they can capture domain credentials in plain text. Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically siphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs.”
To test the flaw, Guardicore acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server that it controls. It quickly detected a massive leak of Windows domain credentials that reached the server. Over a four-month period between April and August 2021, the domains leaked over 372,000 Windows domain credentials and Microsoft Outlook, mobile email clients. and other applications interfacing with Microsoft’s Exchange server leaked 96,671 unique credentials.
Using this flaw, Guardicore also developed a test attack that downgrades a client’s authentication from being a secure one based on OAuth and NTLM to HTTP Basic Authentication so that credentials are sent in clear text.
If you’re interested in this kind of thing, Guardicore’s explanation of the flaw and how it can be exploited is fascinating and goes into great detail.
Microsoft is looking into the issue, but it chided Guardicore for not alerting it about the flaw before publicizing it.
“We are actively investigating and will take appropriate steps to protect customers,” Microsoft senior director Jeff Jones said. “We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today.”