Viewing a GIF may have led to Microsoft Teams account hacking and data stealing
Security researchers revealed a flaw that allowed the account takeover of the Microsoft Teams platform.[1] The way to hack such accounts involves sending the recipients a regular GIF. Viewing the image may have been enough to trigger the hijacking bug and get impacted.[2] Both versions of Microsoft Teams were vulnerable: the desktop version and the Teams for the web. The flaw apparently can affect multiple accounts and gather information from conversations like messages, and shared media or files.[3]
Even if an attacker doesn’t gather much information from a Teams’ account, they could still use the account to traverse throughout an organization (just like a worm).
Findings of this worm-like flaw were disclosed to Microsoft on March 23. Few weeks after that, on April 20th Microsoft released a patch for the flaw in the updated version. According to researchers, attackers may have gathered data from the organizations’ accounts. Details like confidential information, meetings, calendar events, competitive data, and secrets, or even passwords, private data, and business plans were all available after the hack.[4]
Subdomain takeover allowing the invisible attack
The attack was possible due to the flaw in Microsoft Teams’ authentication to image resources. Each time the app is opened, an access token is created. During this process, users are allowed to view images and other media shared by the individual or others in the happening conversation. CyberArk published all the details on how the platform loads images and how this authentication works to deliver such types of messages.
Cookie authentication is designed to make sure that a particular recipient gets the image intended for them, authentication completes via “authtoken” and “skypetoken”. The first one grants access to a resource server and creates the latter one. This way unfettered permissions to send messages, read them, create groups, and add new users, remove them get granted in groups via the Teams API.
The attacker that has both of the cookies can make calls through the Teams APIs and control the account and use all the functions granted. The first “authtoken” is used with a subdomain, so attackers start with a subdomain takeover attack on aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com. To achieve this, the hacker needs to get a digital certificate for the affected subdomain. However, that is not that difficult for cybercriminals.
Worm-like fashion spreading from one account to other in the same organization
With the setup that allows sending the images and trigger browsers to load the resource and deliver the particular cookie, full access of the account can be obtained. It all happens quickly and behind the back of the user. Victims remain unaware of the threat and the possibility that their Microsoft Teams account is taken over.
This attack can spread automatically through one compromised account to another and among people in the same organization. Obtaining conversations, messages, and all the media shared between recipients is not difficult because script allows a hacker to scrape all the threads.
Microsoft reacted to the attack and taken actions against the worm-like threat after the initial alerts. The first step was to delete misconfigured DNS records that allowed the takeover of the subdomain. Then other measures were imposed to avoid similar flaws in the future of this and other platforms.
The popularity of such platforms and the need for these conferencing services raised the numbers of videoconferencing company-themed attacks.[5] Since more and more people start working from home and remotely due to pandemic, attackers also changed their methods and tactics while aiming to steal credentials and distribute malware.