Reply to post: broken by design

Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years

Bartholomew Bronze badge

broken by design

From a basic security perspective this 'feature' should be disabled by default, and be a complete and utter nightmare to enable. It is so flawed it was probably designed to be that way by a gagged FISA court order.

1st problem is that the client tries to connect to the root domain and works it's way back to where it's domain is.

So does autodiscovery. respond ? yes/no ? If No then try maybe try autodiscovery.com. or autodiscovery.fr. or autodiscovery.uk. (depending on which domain name the client is in).

OK well then move back one level closer to where you are.

2nd problem is that the server can respond in basically plaintext and tell the client "I'm sorry I have no idea what that encrypted gibberish you are trying, can you just base64 encode the username and password (plaintext basically) and send them to me, we will try that"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022