Staff logging into Exchange Server through a popular app could have placed their enterprise credentials at risk through a since-closed vulnerability.

The Nine app which has clocked up to a million downloads on the Google Play store would shout Microsoft Outlook login credentials over insecure connections thanks to a bug that failed to validate SSL.

Rapid7 Labs director Derek Abdine (@dabdine) found and reported the hole to the app's creator 9FoldersInc and US CERT in August.

The app creator issued a patch Thursday disclosing the man-in-the-middle hole in its update.

The most likely vector to be exploited, if any, would be at public hotspots.

Compromise is also possible if users have push notifications active while on the same network as an attacker.

Criminals could have gained access to Exchange inboxes, calendars, and tasks.

Rapid 7 senior security researcher Tod Beardsley said attackers could have set up rogue networks to target users running the app.

"Due to a lack of certificate validation with a configured remote Microsoft Exchange server, Nine leaks associated Microsoft Exchange user credentials, mail envelopes and their attachments, mailbox synchronisation information, calendar entries and tasks," Beardsley says.

"This issue presents itself regardless of SSL/TLS trust settings within the Nine server settings panel."

Attacks are unlikely but should serve as a warning for those using third-party apps to access corporate credentials.

Beardsley says administrators can find MUA strings prepended with "Nine-" in ActiveSync logs to determine what users are running the app. ®