Researchers have discovered an Exchange Autodiscover flaw that can be used to steal Windows users’ credentials. Microsoft says it is investigating. “Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to ‘leak’ web requests to Autodiscover domains outside of the user’s domain but in the same TLD [top-level domain],” Guardicore’s Amit Serper writes of his firm’s discovery. “This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, they can capture domain credentials in plain text. Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically siphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs.”

SOFTWARE ・ 13 DAYS AGO