A vulnerability in how Windows Phone devices connect to wireless access points and handle encryption could disclose corporate passwords, it is feared.
In an advisory, Microsoft warns that a flaw in a protocol known as PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), used by Windows Phones for WPA2 Wi-Fi access could allow hackers to snoop passwords from users.
In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device.
To exploit this issue, an attacker-controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with it, and in turn allow the attacker to intercept the victim's encrypted domain credentials.
An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials.
"Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource," the firm said.
"In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device."
The software giant said it is not currently aware of any active attacks involving the flaw or of any customers who have been affected by it.
"Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary," the company stated.
The vulnerability affects Windows Phone 7.8 and 8 devices but not earlier versions of the mobile operating system, according to Microsoft.
The firm has not issued a patch but is urging organisations to use a certificate verifying a wireless access point before starting an authentication process from Windows Phone 8 devices.
"A Windows Phone 8 device can be configured to validate a network access point to help make sure the network is your company's network before starting an authentication process," the advisory stated.
"This can be done by validating a certificate that's on your company's server. Only after validating the certificate is user name and password information sent to the authentication server."
