Autodiscover flaw in Microsoft Exchange leaking credentials

A flaw in Autodiscover, a protocol utilized in Microsoft Exchange, is responsible for a massive data leak of various Windows and Microsoft credentials, according to new Guardicore research.

Autodiscover is used by Exchange to automatically configure client applications like Microsoft Outlook. In research published Wednesday, Amit Serper, area vice president of security research for enterprise security vendor Guardicore, wrote in the company’s post dedicated to the vulnerability that Autodiscover “has a design flaw that causes the protocol to ‘leak’ web requests to Autodiscover domains outside of the user’s domain,” but in the same top-level domain (TLD) — for example,

Guardicore researchers then tested the flaw.

“Guardicore Labs acquired multiple Autodiscover domains with a TLD suffix and set them up to reach a web server that we control,” Serper wrote in the blog post. “Soon thereafter, we detected a massive leak of Windows domain credentials that reached our server.”

Examples of domains that the vendor purchased included, and; the post included substantial technical detail regarding how the domains were abused.

From April 16 to Aug. 25, Guardicore was able to exploit the flaw to capture 372,072 Windows domain credentials and 96,671 unique credentials “that leaked from various applications such as Microsoft Outlook, mobile email clients and other applications interfacing with Microsoft’s Exchange server,” Serper wrote.

The Autodiscover flaw is not a new issue; Serper wrote that Shape Security first revealed the core vulnerabilities in 2017 and presented the findings at Black Hat Asia that year. At the time, the vulnerabilities — CVE-2016-9940 and CVE-2017-2414 — were found to only affect email clients on mobile devices. “The vulnerabilities disclosed by Shape Security were patched, yet, here we are in 2021 with a significantly larger threat landscape, dealing with the exact same problem only with more third-party applications outside of email clients,” Serper wrote.

The post presented two mitigations: one for the general public and one for software developers and vendors.

For the general…