Microsoft Teams Vulnerability - ThreatWire Crosspost
Added 2020-04-28 18:22:20 +0000 UTCZoom isn’t the only video conferencing tool that has experienced security flaws since the pandemic began. Microsoft has also experienced this with their Teams workplace video and collaboration platform, where an attacker would just need to send a malicious link to an image to take control over the organizations accounts. This would include gaining access to confidential information, meetings, calendar info, passwords, and any kind of proprietary information that is shared between members of a business’s Teams account.
This flaw impacts both desktop and web versions of Teams, and the problem was disclosed by CyberArk on March 23, with Microsoft patching the flaw on April 20, about a month later. It’s always fun to take a look at how these attacks work, so I’ll break it down: Microsoft Teams had this flaw due to how it handles authentication of image resources, which allowed CyberArk to take advantage of a subdomain takeover vulnerability. An access token called a JSON Web Token (or JWT for short) is created each time the app is opened and that allows users to view images shared between team members, as well as get access to things like SharePoint and Outlook.An authtoken cookie gives access to a resource server called api.spaces.skype.com, and this was used by researchers at CyberArk to created a Skype Token that would allow them to change permissions on the accounts - also allowing them to do things like send and receive messages, create groups, add or remove users all within that Teams API. This cookie also gets sent to subdomains for teams.microsoft.team, and two of these subdomains were also vulnerable to takeover attacks.
A user could be tricked into visiting one of those subdomains, at which time the authcookie would be sent to an attackers server - this would allow the attacker to create that skype token, which would then allow them to gain access and steal data from the Teams platform. How does the attacker trick a user? It’s easy - they could send a malicious link to an image file, like a GIF, using the chat functionality. That image would attempt to load but the link would also activate that authtoken cookie.
CyberArk did not note any use of this attack in the wild, though it is highly critical to patch. To fix this issue, Microsoft simply deleted misconfigured DNS records for the two vulnerable subdomains.
Links:
Support me on alternative platforms! https://snubsie.com/support
Shop ThreatWire Merch! - https://snubsie.com/shop
https://www.youtube.com/shannonmorse -- subscribe to my tech channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
Check out my new video about the last active Morse Code Radio Station in the US - https://www.youtube.com/watch?v=UPTzvciqgJ0
Links:
https://thehackernews.com/2020/04/microsoft-teams-vulnerability.html
https://threatpost.com/single-malicious-gif-opened-microsoft-teams-to-nasty-attack/155155/
https://www.cyberscoop.com/microsoft-teams-security-flaw-cyberark-gif/
