HackDig : Dig high-quality web security articles for hackers

Android App Leaks Microsoft Exchange Server User Credentials

2016-10-14 18:25

An Android app that allows corporate users to connect to their own Microsoft Exchange Server installations leaks user credentials, which can be easily decoded to their cleartext version.

Microsoft Exchange Server is an email and calendaring server developed by Microsoft that runs only on Windows Server. Companies deploy it to run their own private email servers, but the product also allows them to run a localized version of Outlook via the Office 365 offering.

"Nine" app users exposed to credential leaks

Corporate employees who want to connect to their company's Microsoft Exchange Servers from their mobile devices can use a third-party app called Nine - Outlook for Android.

The app is very popular on Android and has between 500,000 and 1,000,000 active installations.

Security researchers from Rapid7 have discovered that while the app uses SSL/TLS to encrypt communications from the user's smartphone to the Exchange Server, the app doesn't validate the source of the SSL/TLS certificates it receives.

App doesn't check certificate source

This lack of validation means the app is subject to MitM (Man-in-the-Middle) attacks, despite the usage of powerful encryption.

An attacker on the same Wi-Fi network can intercept traffic, despite being encrypted, and act as a relay point.

Rapid7 researchers say that when the app connects to the user's Microsoft Exchange Server installation, it also authenticates. These details are sent as part of HTTPS requests, which the attacker intercepts and can decrypt because he supplied the victim with a fake SSL/TLS certificate.

Credentials can be reversed to their cleartext form

The credentials are transmitted using Base64 encoding, which can be easily reversed and reveal the employee's actual credentials.

Despite the need for both victim and attacker of being on the same network, security researchers say that a plausible and possible attack scenario would be when a threat actor would carry a mobile Wi-Fi hotspot with him, hidden in a backpack. This way, the attack vector is mobile and can be deployed at will, not just at chance encounters.

Rapid7 informed 9Folders, the Nine app makers, who have fixed the issue, tracked as CVE-2016-6533, on October 13, in version 3.1.0 of the Nine app.

Nine app exposing user credentials as Base64 strings
Nine app exposing user credentials as Base64 strings


Source: s.703905-slaitnederc-resu-revres-egnahcxe-tfosorcim-skael-ppa-diordna/swen/moc.aideptfos.swen

Read:3919 | Comments:0 | Tags:Security Fixes and Improvements

“Android App Leaks Microsoft Exchange Server User Credentials”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools