Microsoft has patched a vulnerability in its communication and collaboration platform, Teams that could have let attackers to take over an organization’s complete Teams accounts just by sending a malicious link to an image to the members.
The researchers at CyberArk found the flaw which affects both desktop and web versions of the app. They disclosed their findings on March 23 and an update was released by Microsoft on April 20.
According to Omer Tsarfati at CyberArk, even if an attacker does not collect much information from a Teams’ account, they could still use the account to navigate throughout an organization. Finally, the attacker could access all the data from the organization’s Teams accounts including confidential information, meetings and calendar information, competitive data, secrets, passwords, private information, business plans, etc.
The vulnerability arise from the way Microsoft Teams handles authentication to image resources. Whenever the app is opened, an access token, a JSON Web Token (JWT) is created during the process, allowing a user to view images shared by the members in a conversation.
The researchers managed to get hold of a cookie (called “authtoken”) that provides access to a resource server (api.spaces.skype.com), and used it to create the previously mentioned “skype token,” thereby giving them unrestricted permissions to send or receive messages, create groups, add new users or remove users from groups, change permissions in groups via the Teams API.
Also, since the authtoken cookie is set to be sent to teams.microsoft.team or any of its subdomains, the researchers discovered two subdomains (aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com) that were susceptible to takeover attacks.
If the attacker manages to make the use visit any of the subdomains that have been taken over, the victim’s browser sends this cookie to the attacker’s server, and the attacker can create a skype token on receiving the authtoken. Eventually, the attacker can steal the victim’s Team’s account data.
Having the subdomains compromised the attacker could exploit the flaws by simply sending a malicious link such as a GIF, to any victim. So, when the recipient opens the message, the browser tries to load the image, but sends the authtoken cookies to the compromised sub-domain before it.
This authtoken cookie can be misused by the attacker to create a skype token and therefore access all the victim’s data. This attack can be performed by any person if the interaction involves a chat interface. The victim does not even realize that they have been hacked.
The increase in the use of video conferencing services due to coronavirus pandemic has become a great opportunity for the attackers to steal credentials and distribute malware.
All users are highly recommended to be vigilant and look out for phishing scams and make sure that their video conferencing software is kept up-to-date.