alt Hacker NewsMicrosoft mishandling example.com
Comments
> Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "[email protected]:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/d..."
Wait, does their autodetect send email and password to their servers, instead of just domain???
Not surprised. They used to have training material incentivizing professionals to use .local as TLD for Active Directory realms. Thats a reserved domain for Multicast DNS.
Working on Linux automation systems we would need to make sure to disable anything related to Avahi in our images otherwise name resolution would fail for some customers.
> The domain has a null MX record (indicating it doesn't accept email)
Not quite true, SMTP will use the A record if there is no MX.
Just a guess but why do I get the feeling it’s because someone who setup sei.co.jp in Azure Entra (aka Azure AD) some how managed to add/claim the domain “example.com” against their companies tenant.
It’s clearly not using the DNS records for discovery because they don’t exist, the only other option I can see is some weird fall through or hard coded value and it seems like an odd one to pick.
Where does sei.co.jp comes from? Why Microsoft would use that domain in the first place?
That’s why example.com states “Avoid use in operations”, not only that could create unnecessary traffic for them as well as leak information as in situations like this.
Why do you need to send a password when using their Autodiscover API? Would Outlook send the respective passwords for each email account to Microsoft?
This is why I never use these IANA-reserved domains like .test, .example, .invalid, .localhost.
I always make up some impossible domains like domain.tmptest
Otherwise you're one DNS "misconfiguration" away from sending dev logs and auth tokens to some random server.
> Since at least February 2020, Microsoft's Autodiscover service has incorrectly routed the IANA-reserved example.com to Sumitomo Electric Industries' mail servers at sei.co.jp, potentially sending test credentials there.
I gather this has little to do with “example.com” and more to do with any domain that doesn’t have an autodiscover subdomain.
Nice to see tinyapps.org is still alive.
This is the same company that mishandled the Office brand (abandoned it) and is mishandling the Xbox brand (what even is an Xbox anymore?). Are we surprised?
NSA probably. Gives them plausible deniability.
Maybe some of their targets did use example.com for some probing, and the NSA had a hand in Sumitomo Electric Industries' mail server.
>Microsoft's Autodiscover service misconfiguration can be confirmed via curl -v -u "[email protected]:password" "https://prod.autodetect.outlook.cloud.microsoft/autodetect/d...":
Hold up, does this mean outlook sends your full credentials to Microsoft when you try to set up an outlook account? I'm sure they pinky promise they keep your credentials secure, but this feels like it breaks all sorts of security/privacy expectations.