What is the LeakyX exploit?

Leakyx is a discovered exploit when using the iOS mail client and connecting to Microsoft Exchange servers.

In theory a mail client should confirm the authenticity of the mail server before sending your login information. However in certain situations when using the iOS mail client they don't do this before sending your username and password to an unknown server.

This exploit can be verified using the steps below when you first add an Exchange account to iOS Mail. Your credentials will be sent unencrypted to any server you enter, even if it is not a valid mail server. No confirmation is done by the mail client before sending your username and password.

There are other methods using this exploit to get your credentials, however they will not be disclosed here so that vendors have an opportunity to patch this vulnerability. You might think your credentials are being sent securely however as of today all tested iOS devices are affected by this vulnerability.

The steps below are for testing purposes only, however a malicious party could easily use this exploit to harvest credentials in multiple different ways.

STEP 1: Setup a new exchange account
STEP 2: Enter a leakyx.com email address
STEP 3: Enter a password
( If you click next here then your credentials will be sent to the server )
Check the home page to see if your credentials show up.
STEP 4: Now the error shows up but it is too late.
Your credentials have been sent in an unencrypted form to a server.
In this test the receiving server is not even a mail server.
A Secure Score Project