This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
Guardicore Security Researcher, Amit Serper identified a critical vulnerability in Microsoft’s autodiscover- the protocol, which permits for the automatic setup of an email account with only the address and password needed.
The vulnerability allows attackers who buy domains containing the word “autodiscover,” such as autodiscover.com or autodiscover.co.uk, to capture the clear-text login details of users experiencing network issues (or whose admins incorrectly configured DNS).
From April 16 through August 25 of this year, Guardicore purchased many similar domains and used them as proof-of-concept credential traps:
- Autodiscover.com.br
- Autodiscover.com.cn
- Autodiscover.com.co
- Autodiscover.es
- Autodiscover.fr
- Autodiscover.in
- Autodiscover.it
- Autodiscover.sg
- Autodiscover.uk
- Autodiscover.xyz
- Autodiscover.online
A web server linked to these domains got hundreds of thousands of email credentials in clear text, most of which also operated as Windows Active Directory domain credentials.
The credentials are sent from clients who request the URL /Autodiscover/autodiscover.xml with an HTTP Basic authentication header that already contains the unfortunate user’s Base64-encoded credentials.
The various factors contribute to the overall vulnerability like;
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Exchange/Outlook Autodiscover Bug Exposed $100K Email Passwords