Shipping companies, power plants and investment banks don’t often share much in common, but new research shows they are all inadvertently leaking thousands of email passwords of their own employees, thanks in part to a design flaw in a widely used email protocol.
Autodiscover is a feature in Microsoft Exchange, a popular email software for companies to host their own email servers, to set up apps on a phone or a computer using just an employee’s email address and password. It’s meant to make it easier to set up an email or calendar app, for example, by offloading the hard work to the server rather than configuring the app by hand.
Most apps will look for the configuration file in places on the company’s domain where it knows to look. Each time it looks somewhere and can’t find it, the app will “fail up” and look somewhere else on the same domain. And if it can’t find the file, then users are left with the inconvenience.
But some apps will inadvertently fail up one step further before hitting a wall. That’s a problem, because behind the scenes the app is trying to communicate with a domain name that’s outside of the company’s control but within the same top-level domain — so, for example,
company.com would end up looking for the configuration file on
autodiscover.com. Anyone who owns that domain name could “listen” to the email addresses and passwords as they are sent across the internet.
Researchers have for years warned that email apps are vulnerable to this kind of data leakage and can put a company’s credentials at risk. Several apps were fixed at the time, but it’s clearly a problem that hasn’t gone away.
In April, Guardicore Labs acquired the autodiscover domains for some of the most common top-level domains —
autodiscover.fr, and so on — and set them to “listen” to leaky requests as they arrive.
In four months, Guardicore says it identified 340,000 exposed Exchange mailbox credentials hitting those domains. Some companies allow those same credentials to be used to log onto that domain, posing a risk if misused by a malicious hacker. Guardicore said the credentials were sent over the internet in plaintext and could be read at the other end.
Another 96,000 Exchange credentials were sent using protocols that are far stronger and cannot be decrypted, but could be tricked into sending the same credentials over the wire in the clear.
Amit Serper, Guardicore’s security research lead for North America and the author of the research, developed an attack that bounced back the encrypted credentials with a request to the app to use a weaker level of security to send the email address and password again, prompting the app to re-send the credentials in cleartext.
Serper named the attack, perhaps fittingly, “The ol’ switcheroo.”
The domains also saw exposed credentials from real estate companies, food manufacturers and publicly traded companies in China, Serper said.
For the average user, the leak is practically invisible. Guardicore is not immediately naming the apps that are the biggest culprits of leaked credentials, since many of the app makers are still working on rolling out fixes. Serper told TechCrunch that once the apps are fixed, the domains will be sinkholed but will remain under Guardicore’s control to prevent them from falling into the hands of malicious actors.
It’s not an exhaustive list of domains under Guardicore’s control, but companies and users can take their own precautions by blocking autodiscover domains at the top-level, Serper said. App makers can also not let their apps fail upwards outside of a company’s domain.