>Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "email@example.com:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/d...":
Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? I'm sure they pinky promise they keep your credentials secure, but this feels like it breaks all sorts of security/privacy expectations.
> Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account?
Not just an “outlook account” - any account in outlook, with default settings at least.
I run a mail server, mainly for me but a couple of friends have accounts on there too, and a while ago one friend reported apparently being locked out and it turned out that it was due to them switching Outlook versions and it was connecting via a completely different address to those that my whitelists expected sometimes at times when they weren't even actively using Outlook. Not only were active connections due to their interactive activity being proxied, but the IMAP credentials were stored so the MS server could login to check things whenever it wanted (I assume the intended value-add there is being able to send new mail notifications on phones/desktops even when not actively using mail?).
> but this feels like it breaks all sorts of security/privacy expectations.
It most certainly does. The behaviour can be tamed somewhat, but (unless there have been recent changes) is fully enabled by default in newer Outlook variants.
The above-mentioned friend migrated his mail to some other service in a huf as I refused to open my whitelist to “any old host run by MS” and he didn't want to dig in to how to return behaviour back to the previous “local connections only, not sending credentials off elsewhere where they might be stored”.
Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.
It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections.
>Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.
Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy.
Not necessarily, the server can say it only supports basic auth and….
Not just that, the new outlook app makes Microsoft a complete man-in-the-middle for your email account.
https://www.xda-developers.com/privacy-implications-new-micr...
And? Do you think Gmail is end to end encrypted?
My bank isn't end to end encrypted either, but that doesn't mean it's suddenly ok for Microsoft (or any other company) to suddenly start MITMing my online banking connections.
I am talking about the fact that the new default email client on Windows will hand over all your email credentials to Microsoft. This has nothing to do with Gmail.
Oh you mean even if you don't use Microsoft's email? Now I get it.
I think the concern is that it copies the emails of your non-Microsoft accounts that you added to the Outlook app, over to Microsoft servers
Adding a bunch of middlemen that also see the data increases the risk.
I think outlook is pretty much a saas product these days.
It's more common than you might think. I know of at least one popular email client that stores your credentials on their servers to enable features like multi-account sync and scheduled sending.
I bought a hardware password manager a while back and the bulk load tool sent all your creds to a cloud service. I have not used it since, and sent the manufacturer a nasty note.
It was the Ethernom Beamu, company now defunct.
I would expect such a feature to use end-to-end encryption for the data, so that only the user can see the credentials. It does, right? Right?
>>multi-account sync and scheduled sending
>I would expect such a feature to use end-to-end encryption for the data
How would "end-to-end encryption" when such features by definition require the server to have access to the credentials to perform the required operations? If by "end to end" you actually mean it's encrypted all the way to the server, that's just "encryption in transit".
> If by "end to end" you actually mean it's encrypted all the way to the server, that's just "encryption in transit".
This is what Zoom claimed was e2ee for a little while before getting in trouble for it.
Do you mean Spark? I get why they need to do it that way but I also hate that they have to do it that way because it sucks for privacy.
Most likely, and nobody cares.
Already many years ago I remember installing a firewall on my phone and noticing in surprise that Outlook was not connecting at all to my private mail server, but instead only sending my credentials to their cloud and downloading messages from there.
The only Android mail client not making random calls to cloud servers was (back then) K-9 Mail.
Yeah since the Windows 11 2023h2 update.
> Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "email@example.com:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/d..."
Wait, does their autodetect send email and password to their servers, instead of just domain???
Not surprised. They used to have training material incentivizing professionals to use .local as TLD for Active Directory realms. Thats a reserved domain for Multicast DNS.
Working on Linux automation systems we would need to make sure to disable anything related to Avahi in our images otherwise name resolution would fail for some customers.
Haven't they been telling people to do that since before it became reserved? If so, the problem is more that you can't "reserve" something that's already in wide use, and mdns should've used something like .mdns.
It's like when .dev became a gTLD, knowingly breaking a bunch of setups for a mix of vanity and a cash grab. Obviously dropped the ball on the engineering side.
My company used .local for EVERYTHING. I took it as normal at the time, until I got into problems with VMWARE products.
Support patiently explained .local is reserved for something else and kindly provided Wikipedia links.
They never responded why they used .local in their docs, trainings, webinars they provided, though :)
Things from docs making it into production is insidious. There were some early Sun docs that referenced a 129.9.0.0/16 network. Some helpful contractor in my locality, specializing in local government work, configured several police, fire, and city governments with that subnet internally back in the 90s. A few of them are still running that way today. I remember running into some oddball behavior with the Teredo adapter in Windows 7 that I traced back to it behaving differently because the PC's IP address didn't fall into RFC1918 space.
I’ve worked with hundreds of customers that use .local internal domains and vmware, what issues are you describing?
My impression is that Ballmer IE6 era Microsoft didn't gave a shit about standards.
Is standard you are talking about is Multicast DNS https://www.rfc-editor.org/rfc/rfc6762 from year 2013?
Usage of .local for AD predated mDNS. That advice stopped with the advent of mDNS in favor of 'corp.<registered_domain>.<tld>'.
The original Windows 2000 guidance for AD was corp.example.com, from my recollection. The silly .local thing (which does predate mDNS) happened as a result of the Small Business Server refresh for Active Directory.
This is why I never use these IANA-reserved domains like .test, .example, .invalid, .localhost.
I always make up some impossible domains like domain.tmptest
Otherwise you're one DNS "misconfiguration" away from sending dev logs and auth tokens to some random server.
> Since at least February 2020, Microsoft's Autodiscover service has incorrectly routed the IANA-reserved example.com to Sumitomo Electric Industries' mail servers at sei.co.jp, potentially sending test credentials there.
It so happens that in this very specific case your obviously bad choice didn't make anything worse, that doesn't make it a good choice.
"Aha, the defective trucks only cause injuries to people who have their hands on the wheel at highway speeds, but I've never bothered holding the wheel at high speed, I just YOLO so I wouldn't be affected"
If people had used IANA's reserved TLDs they too would be unaffected because although Windows will stupidly try to talk to for example autodiscover.example that can't exist by policy and so the attempt will always fail.
And then you fire off 100k emails, they all bounce, and your mail service shuts you off...
It's all fun and games until Donuts buys .tmptest for some reason.
Would that really make a difference in this case? It's a configuration error / bug in Microsoft's discovery server, they could have a fallback that goes "any unknown address, return this .jp address".
.example is probably far safer than example.com.
https://www.akamai.com/blog/security/autodiscovering-the-gre...
According to it, it seems that if someone registers autodiscover.com then example.com lacking autodiscover.example.com will make Outlook try checking if autodiscover.com has an entry.
It's just a braindead system.
brb, just filing paperwork to apply for the .tmptest gTLD /s
I suspect you'd download a car.
$100K
$227k just to apply, and another few hundred thousand in legal, compliance, and contracting to reach delegation.
Source: I'm on the board of dotMeow and wrote the financial plan
Where does sei.co.jp comes from? Why Microsoft would use that domain in the first place?
I'm willing to bet they were the first user to try and add example.com to their Outlook account, and MS then just assigned it to them without verifying they own the domain.
It's not really the domain but the registration in the MS Office Cloud. If you query who owns example.com mail you get that company.
That’s why example.com states “Avoid use in operations”, not only that could create unnecessary traffic for them as well as leak information as in situations like this.
Why do you need to send a password when using their Autodiscover API? Would Outlook send the respective passwords for each email account to Microsoft?
I suspect they try to login and reverse engineer the IMAP config.
Nice to see tinyapps.org is still alive.
I gather this has little to do with “example.com” and more to do with any domain that doesn’t have an autodiscover subdomain.
NSA probably. Gives them plausible deniability.
Maybe some of their targets did use example.com for some probing, and the NSA had a hand in Sumitomo Electric Industries' mail server.
Reading the article, there is a huge flaw in the autodiscover protocol by Microsoft.
https://www.akamai.com/blog/security/autodiscovering-the-gre...
According to it, it seems that if someone registers autodiscover.com then example.com lacking autodiscover.example.com will make Outlook try checking if autodiscover.com has an entry.
It's just a braindead system.
This is the same company that mishandled the Office brand (abandoned it) and is mishandling the Xbox brand (what even is an Xbox anymore?). Are we surprised?