This is a bigger issue because those credentials can be used to authenticate to the Exchange server to download emails or, if they're using Active Directory elsewhere in the enterprise, to VPN in, to log in to servers, so on and so forth.
So a more realistic scenario might be after gaining access to a company's LAN, or at a public WiFi? Did I read it right, you can force downgrade Exchange clients from TLS to plaintext, essentially?
What more did Apple say on the phone? No rationale given?
I see no evidence of a force downgrade, you can see in the screenshots that he configured SSL off. If you configure SSL off, your credentials go over the wire in plaintext. Surprise surprise.
I don't see what other response he could have reasonably expected from Microsoft, given that his complaints were about the iOS Exchange connector, and actually had nothing to do with Exchange Server.
No, there is no vulnerability here there is no real way to force downgrade or redirect traffic, iOS will prompt a message asking you to confirm a self signed certificate.....
What the author claims is a vulnerability isn't one in any real sense.
They basically "complain" that the mailbox on the iOS phone doesn't "validates" that the server is a real exchange server, in all honestly neither does outlook, nor most other client-server protocols I know off if the server isn't correct it will fail that's it.
Even if there was a way to downgrade or redirect traffic if you have the ability to do that it's game over, if you can MitM an SSL connection between an iOS device and it's server faking a layer 7 handshake isn't really hard to do at that point.
I don't even know what could be "validated" that an attacker couldn't fake. The only real validation that can be done is if the certificate is valid for the domain.
Again this isn't the case, I've tested it out myself and I get a prompt to confirm the SSL certificate when an invalid certificate is used.
This is the step that the author gracefully has omitted: https://imgur.com/a/OXIal, and no nothing is sent until you approve the certificate.
I can't be bothered to set up an actual exchange server to check what happens if you change the certificate midway, however having to approve a certificate change before when the certificates were rotated at my previous employer at least twice on an iPhone (and much older than the current iOS) it would bet that nothing is being sent.
What isn't "validated" is the fact that there is a real exchange server beyond the HTTP/HTTPS endpoint.
You can do a layer 7 validation and validate that there is an actual exchange server beyond the HTTP endpoint but as I stated it's utterly useless since if you can MitM the SSL connection answer "yes I'm a real exchange server" won't be a technical problem at that point.
The author basically sees something that isn't there, the mail app tries to connect to an exchange server, it does so over SSL, it does validates the SSL certificate or prompts the user to approve it if the chain cannot be validates, it does however sends your credentials in the request to the server like it should.
What about it seems like a vulnerability? At best, this is an avenue for a phishing hack for getting someone to put in a bad URL and then send their credentials. No different than registering and convincing someone go to go facebooksecurityservices.com and log in with their Facebook account.
DNS hijacking shouldn't result in credential compromise if TLS is implemented properly. TLS is implemented here, but incorrectly (hold on) because the credentials are sent as soon as the validation fails and a dialog shows up (about the invalid certificate). So the user will realize they are being MITMed but the credentials are sent even if they don't continue.
No, underneath the bad writing it appears there is a real problem here. If you go to his simple walkthrough page you get a better understanding: https://leakyx.com/info.php
Credentials are sent BEFORE prompting the user to accept a self signed cert. So it sounds like an attacker can harvest credentials on a rogue wifi by spoofing DNS and using a self-signed cert. I don't have an iOS device so I can't test.
Can't edit to correct, but if what you say is true, I agree. Also no iOS device to test.
It's really difficult to tell that's what's happening in the midst of all the incorrect statements and conclusions even up to that point, and with the B section being even more absurd. It's quite possible that the reporting to vendors would also miss the legitimate vulnerability through the rest of the noise.
> Credentials are sent BEFORE prompting the user to accept a self signed cert. So it sounds like an attacker can harvest credentials on a rogue wifi by spoofing DNS and using a self-signed cert. I don't have an iOS device so I can't test.
This does not appear to be the case (Tested on an iOS 10.3.3 device and an iOS 11 device).
And all this while everyone is paying billions for complex info-sec software that does a lot less then it says on the tin. It's similar to the epidemic problem with non-verified/signed SSH keys where everyone just clicks Ok to any host-key presented. Though a bit more subtle, and something that should have been avoidable with a proper designed protocol.
It's the kind of trivial little thing that gets ignored(along with boring old maintenance tasks like patching infrastructure servers ect.) not despite of but because of all the attention given and budget spend on attending conferences on cyber-warfare and never to be correctly installed(let alone monitored) infosec appliances.
Almost every major hack ever blamed on super advanced state sponsored groups turns out to be someone fumbling a routine update (like what happened with equifax and wannacry) or setting a bad password(guccifer 1+2 etc.) And yet the lesson that gets drawn is never, "lets start following proper procedures for maintenance and training" but "lets reduce the maintenance budget some more by spending on infosec conferences and toys."
So basically typosquatting? It seems to me that any service that doesn't show the SSL certificate (or the EV name) is vulnerable to this, not just Exchange on iOS.
Edit: It seem it doesn't check the SSL certificate either. But it's super easy to get a valid SSL certificate nowadays, so just checking the SSL certificate for validity wouldn't be enough.
Because setting up a let's encrypt certificate is almost as easy as to making a self signed one. We're talking about typosquatting, having a completely valid domain of your own that is the same as someone else's but with a typo.
Edit: From what it is said in another comment, it's not exactly about typosquatting, but the author expresses the problem very badly. It seems credentials are sent to the domain before the certificate is checked. So one is vulnerable to DNS spoofing in e.g. a public wifi.
I'm not sure how they can be more clear than the first sentence, "So back in February I discovered that an iPhone was sending usernames and passwords unencrypted to an exchange server even when SSL was enabled."
Are you saying the later text contradicted this statement?
It was a bit confusing since he talks about typosquatting. He also talks about credentials sent unencrypted when SSL is off, which further makes everyone question the validity of his claims.
But he did find a vulnerability in iOS's Mail app.
To be clear, the issue in "Test A" is the lack of certificate validation. It wasn't immediately clear (poorly worded, IMO) but that's the (only) issue I see in that scenario and that is, indeed, a security issue (allows a MITM attack).
"Test B", however, is not a security issue at all, IMO; instead, it is "working exactly as intended".
> The Apache logs are not even needed without SSL enabled because the first request to the web server includes the username and password in clear text.
If SSL isn't enabled then, yes, of course it does. This may come as a shock to the author but standard IMAP4/POP3 without SSL also sends credentials in the clear (as does -- gasp! -- every other plain-text protocol!)
> Even when SSL is not enabled the client should not be sending the credentials without first verifying that it is a real exchange server.
And just how would the client do that? Using an (easily spoofable) "Server:" header in the HTTP response?
> Realistically the client should not even send the password before verifying the user exists.
That, however, would be an information disclosure vulnerability (identifying valid usernames on the server). That's why no other mail server in use on the Internet does that either. Not to mention that it's real easy for a malicious attacker (in control of the server) to lie about that too.
Aside: if you're running an Exchange server, set up Autodiscover [0] and all your users need to set up their mail account is their username and password (no server details are needed!). For other (i.e. non-Exchange) mail servers, there's a similar "Autoconfiguration" method that is supported by various mail clients, such as Thunderbird [1].
> And just how would the client do that? Using an (easily spoofable) "Server:" header in the HTTP response?
umm , yes?? Even a simple check would increase the complexity a successful attack. Yes it could be duplicated , but having a client that just dumps the credential without any verification does not sound like a good idea and is poor programming.
> To be clear, the issue in "Test A" is the lack of certificate validation. It wasn't immediately clear (poorly worded, IMO) but that's the (only) issue I see in that scenario and that is, indeed, a security issue (allows a MITM attack).
Actually, even this is completely wrong. You are understandably giving a charitable reading to the poorly worded explanation. I have tested this earlier today on an iOS 10.3.3 device and an iOS 11 device, and the TLS certificate is absolutely validated properly.
As you've stated with Test B, yes, if SSL is turned off then the information is indeed sent in plaintext during the account setup. However, I don't know what the purpose of this test was, as this is (as you said) expected behavior.
The TLS is validated properly, but the credentials are sent even before (or right when?) the dialog shows up about the certificate error.
To be clear, here is what I did.
1. Settings->Add new account-> Exchange
2. Entered email ID (with @leakyx.com domain) and password and selected 'Next' (iOS 11 required hitting Next, and entering password on the next screen. iOS 9.3.5 has only one prompt for both email and password)
At this point, a dialog showed up about the cerficate not being valid. You have the option to continue and trust the certificate or hit 'cancel'
3. I hit cancel. (Which means, you don't trust the certificate)
The credentials still showed up. I did it twice to be sure.
On leakyx.com, ktta@leakyx.com is with iOS 9.3.5 and iOS11@leakyx.com is with iOS 11
50 comments
[ 3.8 ms ] story [ 113 ms ] threadWhat more did Apple say on the phone? No rationale given?
What the author claims is a vulnerability isn't one in any real sense.
They basically "complain" that the mailbox on the iOS phone doesn't "validates" that the server is a real exchange server, in all honestly neither does outlook, nor most other client-server protocols I know off if the server isn't correct it will fail that's it.
Even if there was a way to downgrade or redirect traffic if you have the ability to do that it's game over, if you can MitM an SSL connection between an iOS device and it's server faking a layer 7 handshake isn't really hard to do at that point.
In this case, it's POST'ing the credentials before the certificate is validated.
This is the step that the author gracefully has omitted: https://imgur.com/a/OXIal, and no nothing is sent until you approve the certificate.
I can't be bothered to set up an actual exchange server to check what happens if you change the certificate midway, however having to approve a certificate change before when the certificates were rotated at my previous employer at least twice on an iPhone (and much older than the current iOS) it would bet that nothing is being sent.
What isn't "validated" is the fact that there is a real exchange server beyond the HTTP/HTTPS endpoint.
You can do a layer 7 validation and validate that there is an actual exchange server beyond the HTTP endpoint but as I stated it's utterly useless since if you can MitM the SSL connection answer "yes I'm a real exchange server" won't be a technical problem at that point.
The author basically sees something that isn't there, the mail app tries to connect to an exchange server, it does so over SSL, it does validates the SSL certificate or prompts the user to approve it if the chain cannot be validates, it does however sends your credentials in the request to the server like it should.
(Or send passwords over TLS)
https://news.ycombinator.com/item?id=15322740
Credentials are sent BEFORE prompting the user to accept a self signed cert. So it sounds like an attacker can harvest credentials on a rogue wifi by spoofing DNS and using a self-signed cert. I don't have an iOS device so I can't test.
It's really difficult to tell that's what's happening in the midst of all the incorrect statements and conclusions even up to that point, and with the B section being even more absurd. It's quite possible that the reporting to vendors would also miss the legitimate vulnerability through the rest of the noise.
This does not appear to be the case (Tested on an iOS 10.3.3 device and an iOS 11 device).
It's the kind of trivial little thing that gets ignored(along with boring old maintenance tasks like patching infrastructure servers ect.) not despite of but because of all the attention given and budget spend on attending conferences on cyber-warfare and never to be correctly installed(let alone monitored) infosec appliances.
Almost every major hack ever blamed on super advanced state sponsored groups turns out to be someone fumbling a routine update (like what happened with equifax and wannacry) or setting a bad password(guccifer 1+2 etc.) And yet the lesson that gets drawn is never, "lets start following proper procedures for maintenance and training" but "lets reduce the maintenance budget some more by spending on infosec conferences and toys."
Edit: It seem it doesn't check the SSL certificate either. But it's super easy to get a valid SSL certificate nowadays, so just checking the SSL certificate for validity wouldn't be enough.
Edit: From what it is said in another comment, it's not exactly about typosquatting, but the author expresses the problem very badly. It seems credentials are sent to the domain before the certificate is checked. So one is vulnerable to DNS spoofing in e.g. a public wifi.
Are you saying the later text contradicted this statement?
But he did find a vulnerability in iOS's Mail app.
"Test B", however, is not a security issue at all, IMO; instead, it is "working exactly as intended".
> The Apache logs are not even needed without SSL enabled because the first request to the web server includes the username and password in clear text.
If SSL isn't enabled then, yes, of course it does. This may come as a shock to the author but standard IMAP4/POP3 without SSL also sends credentials in the clear (as does -- gasp! -- every other plain-text protocol!)
> Even when SSL is not enabled the client should not be sending the credentials without first verifying that it is a real exchange server.
And just how would the client do that? Using an (easily spoofable) "Server:" header in the HTTP response?
> Realistically the client should not even send the password before verifying the user exists.
That, however, would be an information disclosure vulnerability (identifying valid usernames on the server). That's why no other mail server in use on the Internet does that either. Not to mention that it's real easy for a malicious attacker (in control of the server) to lie about that too.
Aside: if you're running an Exchange server, set up Autodiscover [0] and all your users need to set up their mail account is their username and password (no server details are needed!). For other (i.e. non-Exchange) mail servers, there's a similar "Autoconfiguration" method that is supported by various mail clients, such as Thunderbird [1].
[0]: https://msdn.microsoft.com/en-us/library/office/jj900169(v=e...
[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird...
umm , yes?? Even a simple check would increase the complexity a successful attack. Yes it could be duplicated , but having a client that just dumps the credential without any verification does not sound like a good idea and is poor programming.
Actually, even this is completely wrong. You are understandably giving a charitable reading to the poorly worded explanation. I have tested this earlier today on an iOS 10.3.3 device and an iOS 11 device, and the TLS certificate is absolutely validated properly.
As you've stated with Test B, yes, if SSL is turned off then the information is indeed sent in plaintext during the account setup. However, I don't know what the purpose of this test was, as this is (as you said) expected behavior.
To be clear, here is what I did.
1. Settings->Add new account-> Exchange
2. Entered email ID (with @leakyx.com domain) and password and selected 'Next' (iOS 11 required hitting Next, and entering password on the next screen. iOS 9.3.5 has only one prompt for both email and password)
At this point, a dialog showed up about the cerficate not being valid. You have the option to continue and trust the certificate or hit 'cancel'
3. I hit cancel. (Which means, you don't trust the certificate)
The credentials still showed up. I did it twice to be sure.
On leakyx.com, ktta@leakyx.com is with iOS 9.3.5 and iOS11@leakyx.com is with iOS 11
cf. https://leakyx.com.