Guardicore Security Researcher, Amit Serper identified a critical vulnerability in Microsoft's autodiscover- the protocol, which permits for the automatic setup of an email account with only the address and password needed. The vulnerability allows attackers who buy domains containing the word "autodiscover," such as autodiscover.com or autodiscover.co.uk, to capture the clear-text login details of users experiencing network issues (or whose admins incorrectly configured DNS). From April 16 through August 25 of this year, Guardicore purchased many similar domains and used them as proof-of-concept credential traps: Autodiscover.com.br Autodiscover.com.cn Autodiscover.com.co Autodiscover.es Autodiscover.fr Autodiscover.in Autodiscover.it Autodiscover.sg Autodiscover.uk Autodiscover.xyz Autodiscover.online A web server linked to these domains got hundreds of thousands of email credentials in clear text, most of which also operated as Windows Active Directory domain credentials. The credentials are sent from clients who request the URL /Autodiscover/autodiscover.xml with an HTTP Basic authentication header that already contains the unfortunate user's Base64-encoded credentials. The various factors contribute to the overall vulnerability like; the Autodiscover protocol's "backoff and escalate" behaviour when authentication fails, its failure to check Autodiscover servers before giving up user credentials, and its readiness to utilise insecure methods such as HTTP Basic in the first place. Failing upward with Autodiscover The main task of the Autodiscover protocol is to simplify account configuration—one can depend on a normal user to memorise their email address and password, but years of computing have imparted us that asking them to remember and correctly enter details like POP3 or IMAP4, TLS or SSL, TCP 465 or TCP 587, and the addresses of actual mail servers is several bridges too far. By keeping all nonpriva ..
Support the originator by clicking the read the rest link below.
