UPDATE: James Litwin has tested iOS 11 and found that the LeakyX exploit remains unpatched.

An iOS security flaw is causing Exchange credentials to be transmitted without encryption–even if SSL is enabled.

To make matters worse, the only thing iOS requires is a TCP handshake with a server that says it’s an Exchange server. There’s no need for the server to verify that it is an Exchange server or that the user exists–iOS just sends the credentials, and anyone with access to logs can read them.

The flaw, dubbed LeakyX by its discoverer James Litwin, has been known about since February. Litwin says that both Apple and Microsoft have been dismissive of his reports, which has concerned him due to the high exploitability of the flaw.

SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)

More than just a vulnerability

The Register reported on an Exchange auto discovery bug that’s related to Litwin’s find nearly a year ago, but whereas Microsoft dismissed that bug as inconsequential, LeakyX makes it a serious issue.

The vulnerability starts the moment an iOS device contacts an Exchange server. As usual, the two share a TCP 3-way handshake to verify their connection, but here’s where things get problematic: iOS responds to the handshake by just sending credentials via a base64-encoded POST request.

SEE: An insider’s look at iOS security (TechRepublic)

No verification, no encryption–nothing. Just a username and password being broadcast to a server, and as the very first request.

Litwin says that could enable an attacker to intercept communication via a man-in-the-middle attack and harvest credentials with little effort, but in his opinion that isn’t the main concern.

A larger risk for companies using Exchange is the potential of phishing attacks. Litwin is concerned that a large-scale phishing campaign that tells users to change their Exchange server settings could cause serious damage.

“The user would not even have to reenter their password and it only take one failed request to grab the credentials,” Litwin said in his blog post reporting the find. “I could imagine this method to be highly effective with a well crafted email.”

Is there a fix?

As of now neither Apple nor Microsoft has fixed the problem. Apple has told Litwin that iOS 11 will solve the problem, but Microsoft told him that the flaw “does not meet the bar for security servicing.”

So until iOS 11 is released (and even then it remains to be seen if it will fix the problem) any Exchange credentials transmitted from an iOS device are completely unsecured.

SEE: Information security incident reporting policy (Tech Pro Research)

Litwin has set up a website where iOS users can see LeakyX in action for themselves. Just set up a test account using these steps and visit the website. If you’re vulnerable you’ll see your credentials displayed on the page (use a test account–the site displays the most recent credentials it has received to anyone who visits).

If you want to secure yourself, the only thing to do is to disable Exchange syncing on your iOS device, which may not be feasible if you use it to get important work email. Just one more reason it’s a serious flaw.

Apple was contacted for comment on LeakyX, but has yet to respond. This article will be updated with any information it provides.

The top three takeaways for TechRepublic readers:

  1. A flaw in iOS is causing Exchange credentials to be transmitted to servers after a simple TCP handshake. The servers do not need to verify their identity or even prove they are Exchange servers before iOS sends credentials.
  2. The flaw could allow a man-in-the-middle attack to harvest credentials and also opens up Exchange users to phishing attacks that try to get them to change Exchange server addresses to a fake domain. Because iOS sends credentials without prompting attackers can harvest credentials even if iOS fails to connect to a server.
  3. There is currently no fix for the flaw, though Apple says iOS 11 will address the issue.

Also see: