A flaw in the Autodiscover protocol could expose email passwords to third parties. essential. This flaw allows attackers who buy domains called "autodiscover" - for example, autodiscover.com or autodiscover.co.uk) to give explicit text account credentials to users who have a network problem (or administrators use DNS) to intercept. p>
The Guardicore purchased and used several of these domains from April 16 to August 25 this year as a valid proof-of-concept trap:Autodiscover.com.br Autodiscover.com.cn Autodiscover. com.co Autodiscover . es Autodiscover.fr Autodiscover.in Autodiscover.it Autodiscover.sg Autodiscover.uk Autodiscover.xyz Autodiscover.online
The web server connected to these domains has received hundreds of thousands of email credentials - many as credentials for a duplicate Windows Active Directory domain - that are being processed. Sending a clear text of the credentials to clients requesting the /Autodiscover/autodiscover.xml address, with the HTTP base authentication header already containing the unfortunate Base64 encoded credentials.
There are three main flaws that contribute to the overall vulnerability: the "backup and optimization" behavior of the protocol if it fails to authenticate, the Autodiscover servers authenticate before the user is authorized, and its willingness to use insecure mechanisms like HTTP Basic in the first place.
Incremental Detection Using Autodiscover
The main task of the Autodiscover protocol is to simplify account configuration - you may be able to trust the average user to remember their email address and password. Sorry, but decades of computing have taught us to require them to correctly enter details like POP3, IMAP4, TLS, SSL, TCP 465 or TCP 587, and physical email server addresses are multiple bridges.Advertising
The autodiscover protocol allows regular users to configure their email accounts without assistance by storing all offline parts of account configuration on publicly accessible servers. When setting up an Exchange account in Outlook, you enter an email address and password: for example, firstname.lastname@example.org with the Hunter2 password.
Armed with the user's email address, the autodiscover set about looking up configuration information in a published XML document. It tests HTTP and HTTPS connections with the following URLs. (Note: contoso is Microsoft, instead of a specific domain, it returns a domain name.)http(s): //Autodiscover.example.contoso.com/Autodiscover/Autodiscover.xml http(s): //example . from your example.contoso.com. Unfortunately, if these initial connection attempts fail, Autodiscover backs out and tries to find resources in a higher level domain.
In this case, the next step will be Autodiscover Search /Autodiscover/Autodiscover.xml. At contoso.com itself as well as Autodiscover.contoso.com. If you don't succeed, Autodiscover will not climb again - this time sending your email and password information to autodiscover.com.
If Microsoft owned autodiscover.com, that would be bad enough - but the reality is pretty murky. This domain was first registered in 2002 and now belongs to an anonymous person or organization that uses the WHOIS GoDaddy Privacy Shield.
In about four months, Guardicore has launched its beta credential. These credentials come from a wide range of organizations - publicly traded companies, manufacturers, banks, energy companies, and other sources.
When the Autodiscover protocol expires, users will not see HTTPS/TLS errors in Outlook. Autodiscover.contoso.com.br to Autodiscover.com.br The protection of the contoso property on your SSL certificate expires. Anyone who has purchased Autodiscover.com.br - in this case, Guardicore - is simply submitting a certificate that responds to TLS alerts despite not being affiliated with the contoso company.Advertising
In many cases, Outlook or a similar client initially presents its user credentials in a more secure format such as NTLM. Unfortunately, all that is required is a simple HTTP 401 from a web server that has a basic HTTP request - based on the compatibility of the client using autodiscover (usually without error or warning to the user) with the credentials. Sends the full text in Base64 encoded plaintext. It can be read by a web server that responds to requests for automatic discovery.
The really bad news is that there is no general discount strategy for these forms of automatic detection. If your organization's auto-discover infrastructure is having a bad day, your client will crash "as shown" and potentially expose your credentials. The bug hasn't been fixed yet — according to Microsoft CEO Jeff Jones, Guardicore made it known before Microsoft reported it.
If you are a network administrator, you can reduce the problem by refusing. DNS requests for Autodiscover domains - If any request to resolve a blocked domain is blocked in Autodiscover, the Autodiscover protocol will not be able to detect the credentials. However, you have to be careful: "Blocking" such requests by returning 127.0.0.1 is tempting, but it could allow a smart user to discover someone else's email and/or Active Directory credentials, if something that could fool the logging Targeted access to the user's computer.
If you're a programmer, the solution is simpler: don't implement the faulty part of the autodetect specification in the first place. If your application never attempts to authenticate to the "upstream" domain in the first place, the users' credentials will not be exposed by Autodiscover.
For more technical details, we recommend that you explore the Guardicore blog post in addition to your Microsoft documentation.
Image Indexing by Just_Super via Getty Images
Exchange / Outlook showed an error auto detecting more than 100,000 email passwords
At least since 2019, popular YouTube channels have been tak...
Britain's COVID Pass card system was suspended for hours o...
Several Visible Wireless subscribers reported having their accounts ...
This is the story of the mastermind behind one of the largest "fake news" op...
Twitch's live video streaming service has been hacked and 125GB...