At a glance.
- Autodiscover flaw exposes app credentials.
- Hikvision cameras susceptible to remote access.
- Scraped LinkedIn data found no serious buyers, and have now been dumped online.
Autodiscover security flaw reveals user credentials.
Researchers at Guardicore have detected a bug in Microsoft’s Autodiscover feature that’s leaking user email addresses and passwords. The feature, designed to help users of Exchange clients like Outlook configure apps with minimal input, requires each app to search for a configuration file. If it can’t find it, the app will look elsewhere on the same domain. TechCrunch explains the issue lies in the “back-off” function, which allows some apps to continue to search until they communicate with a domain name that’s outside of the company’s control. Guardicore explained, “This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain,” and embedded in those requests are the user’s email address and password. Security Week describes how, by registering nearly a dozen Autodiscover domains, Guardicore created honeypots that captured over 370,000 Windows domain credentials and more than 96,000 unique credentials over the course of just a few months.
Guardicore Labs' AVP of Security Research Amit Serper told ZDNet, "the protocol flaw isn't new; we were just able to exploit it at a massive scale." Microsoft says they’re currently investigating the issue, the Record by Recorded Future reports. “Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today,” said Microsoft senior director Jeff Jones. The Register adds that because the bug can be avoided with proper configuration, Microsoft might not see the issue as an urgent threat. CSO Online says Guardicore recommends companies engage firewall rules that block requests to all Autodiscover.TLD domains to prevent those domains from resolving via DNS, and ensure that HTTP basic authentication is disabled so that plaintext credentials cannot be communicated over the network.
Purandar Das, Co-founder and the chief security evangelist from Sotero sees the discovery as an illustration of the problems that can accompany legacy applications:
“The perils of legacy applications and services that automate inter application connectivity and communication. As this example illustrates there are many legacy applications with features, functionality and configurations that are not apparent nor have they been identified. It takes a lot of persistence and investigation to discover these vulnerabilities. Unfortunately, many of these discoveries are by malicious actors. The other challenge that is apparent is that some of these vulnerabilities may be discovered by well-funded and well-staffed enterprises. However on the consumer side and many other organizations that don’t or can’t afford this level of analysis, they can be used against them. As this particular example illustrates, the more complex the application and productivity framework the greater the possibility that it will contains vulnerabilities that can be used to compromise the stack..”
Security bug found in video cameras.
Security Week reports that a critical vulnerability in upwards of seventy Hikvision brand camera and network video recorders could allow an intruder to gain remote access to the devices. A researcher known as “Watchful IP” released a blog post explaining that the flaw can be exploited to take full control of a device and even use that device to access internal networks, all without any credentials or interaction from the user. The bug has been reported to the vendor and firmware patches have been made available, though the researcher says the fixes have been “inconsistently deployed.”
Hackers dump spoils of LinkedIn data scrape
The fallout from this spring’s massive LinkedIn data breach (or scrape, as the company properly insists) continues as the hackers, apparently unable to find a buyer for their takings, have dumped the scraped data on the web. The Record by Recorded Future reports that the data, which consists of records on about 700 million users, is being shared as a torrent file in private channels on messaging platform Telegram. As initial reports on the scrape pointed out, most of the data is publicly accessible on LinkedIn, but there are some number of email addresses that would not normally be available in the public profiles and could be used to pinpoint high-profile targets.