Connect with us
Microsoft has been aware of the problem in Autodiscover for Microsoft has been aware of the problem in Autodiscover for

Security

Microsoft has been aware of the problem in Autodiscover for 5 years

Published

on

According to the tech giant, the problem in the protocol is not a vulnerability.

Microsoft Outlook email client since at least 2016 exposes unprotected user credentials when requested in a specific way. Microsoft is aware of the problem, but still advises customers to only interact with servers they trust.

On August 10, 2016, the director of the British IT company Supporting Role, Marco van Beek, sent a message to the Microsoft Security Response Center about an issue with the Microsoft Autodiscover feature of Microsoft Exchange mail servers, which allows mail clients to automatically discover mail servers, provide credentials, and then get proper configurations.

“Accessing passwords for Exchange users, and therefore Active Directory, in clear text is extremely easy. This does not necessarily require any kind of breach of corporate security, and it is as secure as file-level access to a corporate website, ”Beek said.

The PoC code for exploiting the vulnerability consisted of 11 lines in PHP, although it could presumably be shortened to three lines. The researchers attached an explanatory PDF and described the behavior of the Microsoft Autodiscover protocol when the email client software tries to add a new Exchange account.

On August 11, 2016, Microsoft confirmed a reproduction of the issue in Bick’s report. However, on August 30, 2016, the company announced that the report did not describe the real vulnerability.

“Our security engineers reviewed the report and determined that this is not a vulnerability that needs to be serviced as part of our monthly patch Tuesday process. An SSL certificate without a matching hostname is never recommended to be accepted. Before submitting your request, make sure it is trustworthy. Remember, you are submitting user credentials, so it is important to make sure you only share them with a server you can trust, ”Microsoft replied.

Five years later, cybersecurity researchers at Guardicore discovered the same error in the Microsoft Exchange mail server. The issue has resulted in the leaking of domain and Windows application credentials around the world.

According to experts, the automatic mail server discovery mechanism uses a “rollback” procedure in case it does not find the Autodiscover endpoint of the Microsoft Exchange server on the first try. This “rollback” mechanism is the culprit in the data leak because it always tries to resolve a portion of the Autodiscover domain and will always try to “fail”. The next attempt to generate the Autodiscover URL will result in: autodiscover.com/autodiscover/autodiscover[.]xml. This means that the owner of autodiscover[.]com will receive all requests that cannot reach the original domain.

As Beek noted, he and the experts at Guardicore separately discovered the same issue with the disclosed credentials. “The main difference is that they found a way to remove them from the main mail domain, while I stopped when I realized that most mail clients did not even check the SSL certificate before giving the gifts,” he explained.

Click to comment

Leave a Reply

Your email address will not be published.

Security

Hackers hacked Europe’s largest missile manufacturer

Published

on

Hackers hacked Europes largest missile manufacturer

Unknown hackers, acting under the nickname Adrastea, hacked into the database of the largest European missile manufacturer – MBDA, formed as a result of the merger of the French Aérospatiale-Matra Missiles, the British Matra BAe Dynamics and the Italian Finmeccanica-Leonardo. This was reported by Security Affairs.

Hackers hacked Europe's largest missile manufacturer

The attackers’ message about gaining access to the company’s network appeared on one of the forums. As evidence, a link to an archive with demo files was attached.

The total amount of stolen data was estimated by hackers at 60 GB. “The uploaded data contains confidential and confidential information about your company’s employees who took part in the development of closed military projects MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT, etc..) and about your company’s commercial activities in the interests of the EU Ministry of Defense (design documentation for air defense systems, missile systems and coastal defense systems, drawings, presentations, video and photo (3D) materials, contract agreements and correspondence with other companies Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics, etc.”, the hackers wrote.

Adrastea is ready to discuss the cost of the stolen data array. MBDA has not yet commented on the incident.

MBDA manufactures a wide variety of missiles and related installations. For example, the company produces air-to-air missiles AIM-132 ASRAAM (short range, with IR guidance), MBDA Meteor (long range), MICA (medium range, with IR and radar guidance). The company’s product range also includes surface-to-air missiles – Mistral (MANPADS), MBDA Aster (medium and long range), Aspide Mk.1 (medium range), Sea Wolf (SAM), anti-ship (Exocet, Otomat, Marte, Sea Skua) and anti-tank (ERYX, Brimstone, HOT) missiles.

Continue Reading

Security

Samsung is ahead of the curve again. The company released the August security patch for three flagship lines at once

Published

on

Samsung is ahead of the curve again The company released

Samsung was the first company in the market to release the August security patch for its smartphones. Moreover, for three flagship lines at once: Galaxy S20, S21 and S22.

Samsung is ahead of the curve again.  The company released the August security patch for three flagship lines at once

Today, owners of these smartphones in Germany began to receive updates, including a security patch. Usually, users from other countries do not have to wait long. The August security patch fixes dozens of vulnerabilities, so it’s quite important.

Samsung has sometimes been ahead of even Google in recent years, releasing security patches earlier and offering longer support for its flagships, although just three or four years ago, Samsung was almost the worst in this matter.

Continue Reading

Security

Hacker withdrew about $6 million worth of ETH from decentralized streaming platform Audius

Published

on

Hacker withdrew about 6 million worth of ETH from decentralized

Audius (AUDIO) is an artist-run, community-owned music streaming platform that aims to enable anyone to freely distribute, monetize, and stream audio.

Hacker withdrew about $6 million worth of ETH from decentralized streaming platform Audius

Audius aims to return money and power to artists by connecting them directly to listeners and removing record labels and middlemen from the equation.

If bitcoin can be called the digital analogue of gold, then, according to the developers, Audius aims to be the next Spotify or SoundCloud on the blockchain. “The cryptocurrency music app aims to decentralize and democratize the music industry and give artists back more money and control.”

An unknown person was able to change the configuration of the smart contract for managing Audius, and then created a malicious offer to withdraw $6 million in AUDIO tokens.

Hacker withdrew about $6 million worth of ETH from decentralized streaming platform Audius

An unknown person was able to change data on the voting time for the proposal in the Audius smart contract, as well as the delay in the execution of the voting result. As a result of the fraud, the attacker brought the stolen cryptocurrency for sale, however, due to market slippage, he was able to sell a cryptocurrency worth $6 million for only $1.1 million in Ethereum.

According to the attacker’s address transfer history, the cryptocurrency received from the sale was “laundered” at 100 ETH per transaction through the Tornado Cash mixer.

Audius representatives confirmed the hack. The project developers claim that the functionality of the smart contract has been resumed after a detailed study. Whether Audius will compensate investors for losses remains unclear.

Continue Reading

Most Popular