A design flaw in the Microsoft Exchange email server has been found to leak credentials to unauthenticated users.

Discovered and detailed today byAmit Serper at ransomware protection company Guardicore Ltd., the issue relates to the Microsoft Autodiscover protocol. The protocol is a feature in Exchange email servers designed to ease the configuration of Exchange clients such as Outlook.

The feature allows an end-user to completely configure their Outlook client solely by providing their username and password while leaving the rest of the configuration to the Autodiscover protocol. That’s where the issue begins.

To get the automatic configurations, email clients ping a series of predetermined URLs. If the client doesn’t receive a response from those URLs, it then tries a “back-off” algorithm that uses Autodiscover with a top-level domain name.

Serper registered various domain names with the name Autodiscover in them and then ran honeypot servers to see what happened. Between April and August, those honeypots received hundreds of requests a day with thousands of credentials from users trying to set up email clients.

“The interesting issue with a large amount of the requests that we received was that there was no attempt on the client’s side to check if the resource is available or even exists on the server before sending an authenticated request,” Serper noted.

At the end of the testing period, Guardicore had managed to capture 372,072 Windows domain credentials and 96,671 unique credentials for applications such as Outlook. The credentials range from food manufacturers, banks, power producers, shipping and logistics providers and more. Suffice to say, if a malicious actor had been involved, the access could have caused severe harm.

Microsoft has so far responded to the issue by saying that though it’s committed to coordinated vulnerability exposure, it was not informed of this issue before it went public.

“It seems incredible that a product would be sending a user’s username and password to an untrusted endpoint,” Alicia Townsend, technology evangelist at identity and access management provider OneLogin Inc., told SiliconANGLE. “The fact that this is happening with an incredibly popular Microsoft product such as Exchange is even more disheartening.”

Townsend noted that the Exchange Autodiscover feature was introduced in Exchange 2007. “It is unclear as to whether or not this flaw in the design has been around that long,” she added. “Whether the oversight was on the part of early developers or was introduced by more recent developers, it is clear that Security First was not their primary objective.”

Image: Microsoft