Microsoft plugs a security hole that could have enabled attackers to weaponize a GIF in order to hijack Teams accounts and steal data
Microsoft has fixed a security flaw in Microsoft Teams that, if left unattended, could have been exploited to take over user accounts. By hijacking a Teams account, the bad actors might eventually traverse through the organization and gather data from the Teams accounts ranging from confidential information, passwords and business plans, among other things, according to researchers from CyberArk.
With many businesses recently forced to switch to having their employees work remotely due to the COVID-19 pandemic, their IT departments were faced with a challenge on how to make the switch to home office safely. Resolving communication was a cornerstone issue, with a large number opting to use one of the premier platforms such as Zoom, Microsoft Teams, or Slack. This has, in turn, put the platforms and it users in the crosshairs of cybercriminals.
CyberArk has now described a possible attack scenario: “We found that by leveraging a sub-domain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.” The sub-domains that were vulnerable to takeover were aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com.
“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” reads the article.
RELATED READING: Work from home: Videoconferencing with security in mind
Exploitation of the vulnerability would have involved sending the victims a malicious GIF file. Worryingly, even viewing the GIF would have been enough to be affected, and the attack could spread automatically, in a worm-like fashion. The flaw is said to have been present in both the desktop and web browser versions of Teams.
CyberArk disclosed its findings to Microsoft on March 23rd, with the tech giant acting quickly and correcting the misconfigured Domain Name System (DNS) records on the same day. On April 20th, Microsoft issued a patch for Teams. Apparently, no attacks were spotted in the wild.
Zoom, one of Teams’ key competitors in the communication and collaboration arena, has had its share of privacy and security issues of late. Also, those findings came after half a million Zoom accounts were offered for sale on the dark web, although this was not due to any kind of breach of Zoom’s defenses.