What you need to know
- The Autodiscover feature of Microsoft Exchange is reported as having been improperly implemented.
- Said implementation issues have resulted in the leaks of nearly 100,000 Windows credentials, including logins and names.
- Microsoft has acknowledged it is investigating the matter and is unhappy the issue wasn't shared with it before reaching the media.
The Autodiscover feature in Microsoft Exchange is resulting in a bit more information being exchanged than users likely hoped for. In short, Guardicore reports that the Autodiscover protocol's improper implementation has led to "96,671 unique credentials" being leaked (via BleepingComputer).
Here's an aggressively simplified overview of how the leaks happened: Imagine an Exchange user signs into a mail client (Outlook, for example). Said client will try to ensure Exchange Autodiscover URLs are legitimate. That user's login details are then sent to the URLs in question.
However, because of the procedures of some mail clients, the Autodiscover protocol (opens in new tab) results in untrusted domains receiving authentication attempts. And that means that the untrusted domain's owners can collect the data they wrongly received and do whatever they want with it.
That's how the leak occurs, and how 96,671 credentials have gone places they shouldn't have. You can read Guardicore's full report for the nitty-gritty details, but that's a general summary of the situation.
When BleepingComputer reached out to Microsoft about the issue, this was Senior Director of Communications Jeff Jones' response:
Microsoft has repeatedly reminded everyone to play it smart with Exchange, though in this particular instance, it's not clear how exactly users can do anything on their end for added protection. We'll update the story if the company updates its guidance regarding the current situation.
Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to firstname.lastname@example.org.
Get the best of Windows Central in in your inbox, every day!
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.