Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the crayon-syntax-highlighter domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home1/ktech37/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the otw_dcsw domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home1/ktech37/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the easy-accordion-free domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home1/ktech37/public_html/wp-includes/functions.php on line 6114
This Android App is Leaking Microsoft Exchange Server User Credentials » KryptosTechnology

This Android App is Leaking Microsoft Exchange Server User Credentials

android-app-leaks-microsoft-exchange-server-user-credentials-509307-3-800x365

An Android app that allows corporate users to connect to their own Microsoft Exchange Server installations leaks user credentials, which can be easily decoded to their cleartext version.

Microsoft Exchange Server is an email and calendaring server developed by Microsoft that runs only on Windows Server. Companies deploy it to run their own private email servers, but the product also allows them to run a localized version of Outlook via the Office 365 offering.




Corporate employees who want to connect to their company’s Microsoft Exchange Servers from their mobile devices can use a third-party app called Nine – Outlook for Android.

The app is very popular on Android and has between 500,000 and 1,000,000 active installations.

Security researchers from Rapid7 have discovered that while the app uses SSL/TLS to encrypt communications from the user’s smartphone to the Exchange Server, the app doesn’t validate the source of the SSL/TLS certificates it receives.

This lack of validation means the app is subject to MitM (Man-in-the-Middle) attacks, despite the usage of powerful encryption.

An attacker on the same Wi-Fi network can intercept traffic, despite being encrypted, and act as a relay point.




Rapid7 researchers say that when the app connects to the user’s Microsoft Exchange Server installation, it also authenticates. These details are sent as part of HTTPS requests, which the attacker intercepts and can decrypt because he supplied the victim with a fake SSL/TLS certificate.

The credentials are transmitted using Base64 encoding, which can be easily reversed and reveal the employee’s actual credentials.

Despite the need for both victim and attacker of being on the same network, security researchers say that a plausible and possible attack scenario would be when a threat actor would carry a mobile Wi-Fi hotspot with him, hidden in a backpack. This way, the attack vector is mobile and can be deployed at will, not just at chance encounters.

Rapid7 informed 9Folders, the Nine app makers, who have fixed the issue, tracked as CVE-2016-6533, on October 13, in version 3.1.0 of the Nine app.