Microsoft plugs a security hole that could have
enabled attackers to weaponize a GIF in order to hijack Teams accounts and
steal data
Microsoft has fixed a
security flaw in Microsoft Teams that, if left unattended, could have been
exploited to take over user accounts. By hijacking a Teams account, the bad
actors might eventually traverse through the organization and gather data from
the Teams accounts ranging from confidential information, passwords and
business plans, among other things, according to researchers from CyberArk.
With companies recently
forced to switch to working remotely due to the COVID-19
pandemic, their IT departments were
faced with a challenge on how to make the switch to home office safe. Resolving communication was a cornerstone issue,
with a large number opting to use one of the premier platforms such as Zoom, Microsoft
Teams, or Slack. This has, in turn, put the platforms and it users in the
crosshairs of cybercriminals.
CyberArk has now described
a possible attack scenario: “We found that by leveraging a sub-domain takeover
vulnerability in Microsoft Teams, attackers could have used a malicious GIF to
scrape user’s data and ultimately take over an organization’s entire roster of
Teams accounts.” The sub-domains that were vulnerable to takeover were
aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com.
“If an attacker can somehow
force a user to visit the sub-domains that have been taken over, the victim’s
browser will send this cookie to the attacker’s server and the attacker (after
receiving the authtoken) can create a skype token. After doing all of this, the
attacker can steal the victim’s Teams account data,” reads the article.
Exploitation of the
vulnerability would have involved sending the victims a malicious GIF file.
Worryingly, even viewing the GIF would have been enough to be affected, and the
attack could spread automatically, in a worm-like fashion. The flaw is said to
have been present in both the desktop and web browser versions of Teams.
CyberArk disclosed its
findings to Microsoft on March 23rd, with the tech giant acting quickly and correcting
the misconfigured Domain Name System (DNS) records on the same day. On April 20th, Microsoft
issued a patch for Teams. Apparently, no attacks were spotted in the wild.
Zoom, one of Teams’ key
competitors in the communication andcollaboration arena, has had its share
of privacy and security issues of late. Also, those findings came
after half a million Zoom accounts were
offered for sale on the
dark web, although this was not due to any kind of breach of Zoom’s defenses.