Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn’t fix even after 5 years

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Microsoft Exchange clients like Outlook have been supplying unprotected user credentials if you ask in a particular way since at least 2016. Though aware of this, Microsoft’s advice continues to be that customers should communicate only with servers they trust.

On August 10, 2016, Marco van Beek, managing director at UK-based IT consultancy Supporting Role, emailed the Microsoft Security Response Center to disclose an Autodiscover exploit that worked with multiple email clients, including Microsoft Outlook.

“Basically, I have discovered that it is extremely easy to get access to Exchange (and therefore Active Directory) user passwords in plain text,” he wrote. “It doesn’t necessarily require any breach of corporate security, and at its most secure, is only as secure as file level access to the corporate website.”

His report received a case number from Microsoft and a reference number from US-CERT.

His proof-of-concept exploit code, which affected Outlook (both Mac and PC), default email apps for Android and iOS, Apple Mail

Read the article