Microsoft Patches Teams VulnerabilityExploit Could Lead to Account Takeover, CyberArk Researchers Say
Microsoft pushed out a patch Monday for a vulnerability in its Teams collaboration platform that could allow an attacker to take over an organization's accounts through the use of a weaponized GIF image.
Researchers at the security firm CyberArk say they discovered the flaw earlier this year and informed Microsoft of the vulnerability on March 23. The two companies collaborated on a fix and alerted users before the details of the vulnerability, including a proof-of-concept attack, were published this week.
Microsoft, under its Coordinated Vulnerability Disclosure program, worked with CyberArk to address the issue, a Microsoft spokesperson tells Information Security Media Group. "While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe," the spokesperson added.
An exploit of the vulnerability could lead to a chain of events where an attacker starts by taking over a subdomain in Teams and then uses a weaponized GIF image that can scrape data from the platform and, ultimately, lead to a takeover of all the Teams accounts within an organization, according to a report from CyberArk.
Asaf Hecht and Omer Tsarfati, the two researchers who discovered the flaw, note that the vulnerability was present in desktop and web browser versions of Teams.
"We have not found any evidence that this vulnerability was actually used. However, it would be easy to perform such an attack," Hecht tells ISMG. "The hardest part is finding where the vulnerability exists, but the exploitation is pretty straightforward - no special skills or tools needed."
When Hecht and Tsarfati were examining the Teams platform, they found a flaw in how it passes the authentication access token to the image resources, according to the CyberArk report.
When a user opens Teams, the application creates a temporary token or access token, which is registered with the authentication server: login.microsoftonline.com. The Teams application also creates other tokens so that users can share images and data with other Microsoft platforms, such as Outlook and SharePoint, according to the report.
Teams generates tokens called "authtoken" and "skypetoken," which give users permission to view images once the authentication process is complete, the report explains These tokens are then sent to the main Teams domain as well as various subdomains. The researchers found that two of the subdomains, "adsync-test.teams.microsoft.com" and "data-dev.teams.microsoft.com," were vulnerable to an account takeover.
"If an attacker can somehow force a user to visit the subdomains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a Skype token. After doing all of this, the attacker can steal the victim's Teams account data," according to the report.
CyberArk researchers found that if a targeted victim is sent a weaponized GIF file, it can trigger the attack by sending the authtoken token to the compromised subdomain. Once the attackers have possession of the one token, they can take over the initial Teams account, according to the report.
"An attacker would need to register the subdomain under teams.microsoft.com and create a GIF, which would be built with a redirect to this subdomain," Hecht says. "Then it's just a matter of finding a target and sending the GIF via Teams chat."
If attackers gained control of one Teams accounts, they could jump to all the other accounts within an organization and gather confidential information, including meetings and calendar information, competitive data, passwords, private information, business plans and more, according to the report.
The CyberArk researchers note that work-from-home scenarios mean attackers are focusing more on these collaboration and video conferencing platforms and looking for flaws to exploit.
"As more business is conducted from remote locations, attackers are focusing their efforts on exploiting the key technologies - like Zoom and Microsoft Teams - that companies and their employees depend on to stay connected," the report notes.
Over the last several weeks, Zoom's video conferencing platform has come under more scrutiny as researchers have found flaws and vulnerabilities in its software, which has led the company to make fixes (see: Zoom Still Addressing Security, Privacy Concerns).