Microsoft Exchange Autodiscover leaks 100,000+ Credentials

Microsoft Exchange's Autodiscover feature has leaked approximately 100,000 login names and passwords for Windows domains worldwide.


Guardicore research found that the incorrect implementation of the Autodiscover protocol was causing Windows credentials to be sent to third-party untrusted websites.


Alicia Townsend, Technology Evangelist, OneLogin weighed in on this latest Microsoft related bug.

“With the news full of reports about organizations getting hacked because usernames and passwords were captured, it seems incredible that a product would be sending a user’s username and password to an untrusted endpoint. The fact that this is happening with an incredibly popular Microsoft product such as Exchange is even more disheartening. But maybe the answer lies in the fact that it is happening in a product that has been around for so long. The Exchange Autodiscover feature which is the feature at the heart of this new vulnerability was introduced in Exchange 2007. It is unclear as to whether or not this flaw in the design has been around that long. Whether the oversight was on the part of early developers or was introduced by more recent developers, it is clear that Security First was not their primary objective.

It is the responsibility of all software manufacturers both on prem and in the cloud to ensure that their developers are educated on how to create and test for secure code. We need to be continually evaluating our products for possible security risks. We need to evaluate not just new functionality but existing functionality, because as we can see with the Exchange Autodiscover feature, something could have been designed into the feature years ago and no one has been aware of it. Customers put their trust in us and we need to be ever vigilant.”


###