Dad On Retire
  • About Us
  • Contact Us
  • Privacy Policy
  • Terms & Conditions
  • Email Whitelisting
  • Economy
  • Editor’s Pick
  • Investing
  • Stock
No Result
View All Result
  • Economy
  • Editor’s Pick
  • Investing
  • Stock
No Result
View All Result
Dad On Retire
No Result
View All Result
Home Editor's Pick

Exchange/Outlook autodiscover bug exposed 100,000+ email passwords

by
September 23, 2021
in Editor's Pick
0
0
SHARES
2
VIEWS
Share on FacebookShare on Twitter

Enlarge / If you own the right domain, you can intercept hundreds of thousands of innocent third parties’ email credentials, just by operating a standard webserver. (credit: Guardicore)

Security researcher Amit Serper of Guardicore discovered a severe flaw in Microsoft’s autodiscover—the protocol which allows automagical configuration of an email account with only the address and password required. The flaw allows attackers who purchase domains named “autodiscover”—for example autodiscover.com, or autodiscover.co.uk—to intercept the clear-text account credentials of users who are having network difficulty (or whose admins incorrectly configured DNS).

Guardicore purchased several such domains and operated them as proof-of-concept credential traps from April 16 to August 25 of this year:

Autodiscover.com.br
Autodiscover.com.cn
Autodiscover.com.co
Autodiscover.es
Autodiscover.fr
Autodiscover.in
Autodiscover.it
Autodiscover.sg
Autodiscover.uk
Autodiscover.xyz
Autodiscover.online

A web server connected to these domains received hundreds of thousands of email credentials—many of which also double as Windows Active Directory domain credentials—in clear text. The credentials are sent from clients which request the URL /Autodiscover/autodiscover.xml, with an HTTP Basic authentication header which already includes the hapless user’s Base64-encoded credentials.

Read 14 remaining paragraphs | Comments

Previous Post

Semiconductor firms can’t find enough workers, worsening chip shortage

Next Post

Three iOS 0-days revealed by researcher frustrated with Apple’s bug bounty

Next Post

Three iOS 0-days revealed by researcher frustrated with Apple’s bug bounty

Get the daily email that makes reading the news actually enjoyable. Stay informed and entertained, for free.
Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!
  • Trending
  • Comments
  • Latest

With help from Google, impersonated Brave.com website pushes malware

July 31, 2021

VPN servers seized by Ukrainian authorities weren’t encrypted

July 26, 2021

Prebiotics consumption expands in food and beverage applications – key nutritional benefits drive the ingredient demand

June 11, 2021

With help from Google, impersonated Brave.com website pushes malware

July 31, 2021

The 40 Weirdest (And Best) Charts We Made In This Long, Strange Year

0

How U.S. Government Paper Currency Began, and How Private Banknotes Ended

0

Covid Inside Rural India

0

Reply to “Reply to Whitehead” by Desvousges, Mathews and Train: (4) My treatment of the weighted WTP is biased in favor of the DMT (2015) result/conclusion

0
North Carolina legislature confirms Nels Roseland as state controller

North Carolina legislature confirms Nels Roseland as state controller

February 9, 2023
Indiana Republicans propose partisan school board races

Indiana Republicans propose partisan school board races

February 9, 2023
Ohio eyes Amtrak expansion, seeks federal funding for research

Ohio eyes Amtrak expansion, seeks federal funding for research

February 9, 2023
Maine public utility project supporter aims to stop vote on debt

Maine public utility project supporter aims to stop vote on debt

February 9, 2023

Recent News

North Carolina legislature confirms Nels Roseland as state controller

North Carolina legislature confirms Nels Roseland as state controller

February 9, 2023
Indiana Republicans propose partisan school board races

Indiana Republicans propose partisan school board races

February 9, 2023
Ohio eyes Amtrak expansion, seeks federal funding for research

Ohio eyes Amtrak expansion, seeks federal funding for research

February 9, 2023
Maine public utility project supporter aims to stop vote on debt

Maine public utility project supporter aims to stop vote on debt

February 9, 2023

Disclaimer: DadOnRetire.com, its managers, its employees, and assigns (collectively "The Company") do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

  • About Us
  • Contact Us
  • Privacy Policy
  • Terms & Conditions
  • Email Whitelisting

Copyright © 2022 DadOnRetire. All Rights Reserved.

No Result
View All Result
  • Economy
  • Editor’s Pick
  • Investing
  • Stock

Copyright © 2022 DadOnRetire. All Rights Reserved.