An Android app that allows corporate users to connect to their own Microsoft Exchange Server installations leaks user credentials, which can be easily decoded to their cleartext version.
Microsoft Exchange Server is an email and calendaring server developed by Microsoft that runs only on Windows Server. Companies deploy it to run their own private email servers, but the product also allows them to run a localized version of Outlook via the Office 365 offering.
Corporate employees who want to connect to their company’s Microsoft Exchange Servers from their mobile devices can use a third-party app called Nine – Outlook for Android.
The app is very popular on Android and has between 500,000 and 1,000,000 active installations.
Security researchers from Rapid7 have discovered that while the app uses SSL/TLS to encrypt communications from the user’s smartphone to the Exchange Server, the app doesn’t validate the source of the SSL/TLS certificates it receives.
This lack of validation means the app is subject to MitM (Man-in-the-Middle) attacks, despite the usage of powerful encryption.
An attacker on the same Wi-Fi network can intercept traffic, despite being encrypted, and act as a relay point.
Rapid7 researchers say that when the app connects to the user’s Microsoft Exchange Server installation, it also authenticates. These details are sent as part of HTTPS requests, which the attacker intercepts and can decrypt because he supplied the victim with a fake SSL/TLS certificate.
The credentials are transmitted using Base64 encoding, which can be easily reversed and reveal the employee’s actual credentials.
Despite the need for both victim and attacker of being on the same network, security researchers say that a plausible and possible attack scenario would be when a threat actor would carry a mobile Wi-Fi hotspot with him, hidden in a backpack. This way, the attack vector is mobile and can be deployed at will, not just at chance encounters.
Rapid7 informed 9Folders, the Nine app makers, who have fixed the issue, tracked as CVE-2016-6533, on October 13, in version 3.1.0 of the Nine app.