[mirashii]

What about it seems like a vulnerability? At best, this is an avenue for a phishing hack for getting someone to put in a bad URL and then send their credentials. No different than registering and convincing someone go to go facebooksecurityservices.com and log in with their Facebook account.

[jlgaddis]

No certificate validation in "Test A".

[philjohn]

As someone else said, public wifi network, DNS hijack and boom, you've got their credentials.

[ricardobeat]

Same as DNS hijacking any website where the user has an account. What's the security issue in Exchange here?

[ktta]

DNS hijacking shouldn't result in credential compromise if TLS is implemented properly. TLS is implemented here, but incorrectly (hold on) because the credentials are sent as soon as the validation fails and a dialog shows up (about the invalid certificate). So the user will realize they are being MITMed but the credentials are sent even if they don't continue.

https://news.ycombinator.com/item?id=15322740