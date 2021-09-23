Windows Passwords May Be At Risk Of A Credential Leak Due To An Email ‘Autodiscover’ Bug

Thousands of Windows passwords may be vulnerable to an email “autodiscover” issue, which might expose user credentials. Due to the observed design flaw, researchers are presently monitoring Microsoft Autodiscover, according to the researchers.

Amit Serper, AVP of Security Research at Guardicore Labs, issued a Microsoft Exchange Autodiscover research report on Wednesday. The report, titled “Autodiscovering the Great Leak,” claimed that a flaw in the autodiscover design might allow remote servers to view Windows domain passwords in plaintext.

Microsoft Autodiscover is an Exchange protocol that aids in the automatic configuration of client applications’ Exchange connections. This is accomplished using a remote configuration hosted on the company’s domain.

The protocol enables businesses to install software on devices such as PCs and smartphones using an employee’s login credentials. Instead of completing it personally, the task is offloaded through a server, according to ZDNet.

Apps that use autodiscover will hunt for a certain configuration file in locations that are familiar to them. If the app does not find the file it is seeking for, it will display a “fail up” message.

The design flaw not only causes the software to “fail up,” but it also has other consequences. The app talks with the same top-level domain without the company’s knowledge and control.

Because the app communicates with a domain that is not under the company’s control, anyone with access to the domain will be able to see the unencrypted view of Windows domain credentials.

The protocol’s design issue causes it to look for configuration on external domains rather of doing so remotely. Worst of all, anyone can access the aforementioned domains.

In 2017, researchers ran into a similar problem. Autodiscover and its vulnerabilities in mobile email clients were investigated by Shape Security in a report published that year. Some of the problematic apps were repaired by the team.

Guaridicore Labs discovered 372,072 exposed email credentials, such as email addresses and passwords, and 96,671 unique credential sets since acquiring the autodiscover domains in April, according to TechCrunch.

Microsoft’s Jeff Jones, Sr. Director, stated, “We are actively investigating and will take appropriate steps to protect customers.” According to ZDNet, he stated that Microsoft intends to decrease unneeded risk before going public, but they were only told after the issue was disclosed to the media.