Exchange auto-config protocol leaks Windows logins en masse

Security researchers have found that the Autodiscover protocol used by Microsoft Exchange to automatically configure email clients such as Outlook can leak Windows domain credentials undetected in their thousands.

Autodiscover attempts to configure client connection to Exchange Servers, once the user has provided their login credentials at account setup time.

Security vendor Guardicore found that when Autodiscover fails in its first attempts at fetching an Extended Markup Language (XML) file with the server settings the client is trying to use, a design flaw in the protocol back-off mechanism leads to a potentially serious information leak situation.

"This 'back-off' mechanism is the culprit of this leak because it is always trying to resolve the Autodiscover portion of the domain and it will always try to 'fail up', so to speak," Guardicore wrote.

"Meaning, the result of the next attempt to build an Autodiscover URL would be: http://Autodiscover.com/Autodiscover/Autodiscover.xml. 

"This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain."

Guardicore registered a range of domains to exploit the flaw, such as Autodiscover.com.co and Autodiscover.uk, and assigned them to a webserver it controlled.

To its surprise, the server started to receive large amounts of pre-authenticated requests, which contained usernames and passwords as Autodiscover tried to configure email clients with server settings.

Guardicore captured over 372,000 Windows domain credentials between April and August this year, of which almost 97,000 were unique.

The user credentials were from a range of industries, including publicly traded Chinese companies, power plants, shipping and logistics, investment banks, real estate and more.

By using a freely available digital certificate, it is possible to conduct the attack unnoticed by users, and it's also possible to downgrade client authentication from secure to insecure HTTP Basic Authentication.

The security researchers suggested that users block "Autodiscover" domains at the firewall level, and that Exchange administrators disable support for basic hypertext transfer protocol authentication that sends data over the internet in clear text.

A nation-state attacker that is able to conduct large-scale domain name system poisoning could exploit the flaw to capture login credentials en masse, Guardicore said.