Autodiscover email bug leaks thousands of Windows passwords
In a big development that has affected a huge number of people, it has been revealed that companies all around the world are leaking passwords due to the Autodiscover email bug. In fact, thousands of Windows passwords have been leaked.
Cybersecurity researchers have discovered an Autodiscover email bug in Microsoft Exchange software that is used by many companies. The email bug allegedly involves a feature called Autodiscover which is part of the email service, and it has leaked thousands of employees' Windows passwords, which can be collected by hackers. The email bug has affected food companies, real estate firms and companies in China as well, according to a new report.
The Autodiscover system, which is part of Microsoft Exchange, can quickly configure a users laptop, PC or smartphone along with email using just the employee’s credentials. It can ease the hassle faced by computer administrators and technical support by ‘auto-configuring” the client using the worker’s username and password – however, to do this, the requests are sometimes sent to other domains (outside the company’s network) such as autodiscover.com which provides the necessary configuration details.
Also read: Looking for a smartphone? Check Mobile Finder here.
According to researchers from Guardicore Labs, the Autodiscover feature can be used to collect and leak passwords -- in April, they bought the domains such as autodiscover.uk and autodiscover.fr and configured them to collect these usernames and passwords – over 3,40,000 Exchange account credentials were spotted, TechCrunch reports. What is worse, according to the researchers, due to the email bug, these credentials were sent in plaintext (human-readable, non-encrypted), which is how they were collected.
The researchers found that 96,000 of the credentials for Exchange email were encrypted, but if they “bounced” them back requesting weak security, the credentials would be sent via plaintext again, which meant lower security like the rest of the credentials sent in an unencrypted manner. These can also be easily read by humans and is not protected by any encryption.
The researchers say that companies should disable their Autodiscover domain at the top According to the researchers, users cannot see or detect the leak, while app developers are working on fixes, which is why the full list of apps has not been revealed. They also plan to retain control of the domain names listed above after the issues are resolved, to ensure they cannot be misused by unscrupulous elements.