Tech - News
How a Single Picture Let Attackers Hack Microsoft Teams Accounts
Microsoft has fixed a worm-like flaw in its Teams Workplace Video Chat and Communication Software that could have allowed attackers to take over the entire Teams Accounts list of organisations by simply providing participants a malicious link to an innocent-looking photo.
Microsoft has patched a worm-like vulnerability in its Teams Workplace Video Chat and Collaboration Platform that could have allowed attackers to take over the entire Teams Accounts list of organizations just by sending participants a malicious connection to an innocent-looking picture.
The bug, affecting both mobile and web versions of the device, was discovered by cybersecurity researchers at CyberArk. After the results were reported responsibly on 23 March, Microsoft remedied the vulnerability in an update released on 20 April.
"Eventually, the attacker may have access to all the information from your organization's Teams accounts — collecting confidential information, meetings and calendar information, competitive data, secrets, passwords, private information, business plans, etc." The development comes as video conferencing software such as Zoom and Microsoft Teams witness an unprecedented surge in demand as businesses, studs, and others. A Subdomain Takeover Vulnerability The flaw stems from the way Microsoft Teams handle image resource authentication.
CyberArk researchers found that they were able to get hold of a cookie (called "authtoken") that gives access to a resource server (api.spaces.skype.com) and used it to generate the above-mentioned "skype token," giving them unfettered permission to send messages, read messages, create groups, add new users or delete users from groups, modify group permissions via the Teams API.
That's not all of it. Since an authtoken cookie is set to be sent to teams.microsoft.team or any of its sub-domains, the researchers said they discovered two sub-domains (aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com) that were susceptible to takeover attacks.
"If the attacker can somehow force the user to visit the subdomains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the autoken) will be able to create a skype token," the researchers said. "After doing all this, the attacker can steal the victim's account data from the Team." Now armed with the compromised subdomains, the attacker could exploit the flaw by simply sending a malicious link, say a GIF, to an unsuspected victim, or to all the members of a group chat. Thus, when the recipients open the file, the browser attempts to load the image, but not before sending the authenticated cookies to the compromised sub-domain.
"The target will never realize that they have been targeted, making the exploitation of this weakness stealthy and risky," the researchers said.
Videoconferencing Company-Themed Attacks on the Rise The move to remote work in the midst of the ongoing COVID-19 pandemic and rising demand for videoconferencing services has become a lucrative tactic for attackers to steal credential and spread malware.
In the face of such emerging threats, it is recommended that users monitor phishing scams and ensure that video conferencing software is kept up-to-date.