Hello
We experienced major security issue. During account creation on device, the password is sent over http port 80 to the fqdn of domain (for example if user has user@domain.pl address, autodiscover is connecting to domain.pl).
example from log of device (Windows Phone 8):
OPTIONS /Microsoft-Server-ActiveSync?User=username&DeviceId=4B2268F7673485D2711A75B368082F51&DeviceType=WP8 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Authorization: Basic domain.pl\username:password
User-Agent: MSFT-WIN-4/10.0.14393
MS-ASProtocolVersion: 2.5
Host:domain.pl
Cookie: TS01aa3514=0131ea6e826f9369353c210c50a93be2842c5903899eef9c6d443f561fb24fb92212ab122c7b0a06200b1b0dbb30613cd2c47766f2
Is this normal behavior or something is incorrectly configured?
--- Jacek Kochan MCSE,MCSA,MCITP