To be clear, the issue in "Test A" is the lack of certificate validation. It wasn't immediately clear (poorly worded, IMO) but that's the (only) issue I see in that scenario and that is, indeed, a security issue (allows a MITM attack).<p>"Test B", however, is not a security issue at all, IMO; instead, it is "working exactly as intended".<p>> <i>The Apache logs are not even needed without SSL enabled because the first request to the web server includes the username and password in clear text.</i><p>If SSL isn't enabled then, yes, of course it does. This may come as a shock to the author but standard IMAP4/POP3 without SSL <i>also</i> sends credentials in the clear (as does -- <i>gasp!</i> -- every other plain-text protocol!)<p>> <i>Even when SSL is not enabled the client should not be sending the credentials without first verifying that it is a real exchange server.</i><p>And just how would the client do that? Using an (easily spoofable) "Server:" header in the HTTP response?<p>> <i>Realistically the client should not even send the password before verifying the user exists.</i><p>That, however, would be an information disclosure vulnerability (identifying valid usernames on the server). That's why no other mail server in use on the Internet does that either. Not to mention that it's real easy for a malicious attacker (in control of the server) to lie about that too.<p>Aside: if you're running an Exchange server, set up Autodiscover [0] and all your users need to set up their mail account is their username and password (no server details are needed!). For other (i.e. non-Exchange) mail servers, there's a similar "Autoconfiguration" method that is supported by various mail clients, such as Thunderbird [1].<p>[0]: <a href="https://msdn.microsoft.com/en-us/library/office/jj900169(v=exchg.150).aspx" rel="nofollow">https://msdn.microsoft.com/en-us/library/office/jj900169(v=e...</a><p>[1]: <a href="https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration" rel="nofollow">https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird...</a>
I find it funny that people are injecting alert()'s into the testing tool -- a vulnerability in a vulnerability report!<p>cf. <a href="https://leakyx.com" rel="nofollow">https://leakyx.com</a>.
So basically typosquatting? It seems to me that any service that doesn't show the SSL certificate (or the EV name) is vulnerable to this, not just Exchange on iOS.<p>Edit: It seem it doesn't check the SSL certificate either. But it's super easy to get a valid SSL certificate nowadays, so just checking the SSL certificate for validity wouldn't be enough.
And all this while everyone is paying billions for complex info-sec software that does a lot less then it says on the tin. It's similar to the epidemic problem with non-verified/signed SSH keys where everyone just clicks Ok to any host-key presented. Though a bit more subtle, and something that should have been avoidable with a proper designed protocol.<p>It's the kind of trivial little thing that gets ignored(along with boring old maintenance tasks like patching infrastructure servers ect.) not despite of but because of all the attention given and budget spend on attending conferences on cyber-warfare and never to be correctly installed(let alone monitored) infosec appliances.<p>Almost every major hack ever blamed on super advanced state sponsored groups turns out to be someone fumbling a routine update (like what happened with equifax and wannacry) or setting a bad password(guccifer 1+2 etc.) And yet the lesson that gets drawn is never, "lets start following proper procedures for maintenance and training" but "lets reduce the maintenance budget some more by spending on infosec conferences and toys."
So a more realistic scenario might be after gaining access to a company's LAN, or at a public WiFi? Did I read it right, you can force downgrade Exchange clients from TLS to plaintext, essentially?<p>What more did Apple say on the phone? No rationale given?