[German]Microsoft had to additionally secure its Team Client after security researchers had found a vulnerability. The display of a GIF image could be misused by attackers to take over accounts. Microsoft has since taken measures to prevent this type of attack.
Microsoft Teams is Microsoft's communication and collaboration platform that combines chat, video conferencing, file storage, file collaboration and integration with applications. Microsoft Teams is part of an Office 365 subscription and is therefore available to many employees in companies. Microsoft also offers free versions of Teams. In times of the coronavirus pandemic, Microsoft Teams are increasingly used to enable employees with home offices to communicate within a team or to hold meetings. It is therefore important that the software can be used safely. Attacks on videoconferencing software are currently being increasingly carried out because many people work in the home office.
GIF image was sufficient for the account takeover
Security researchers from CyberArk have discovered a vulnerability in the Microsoft Teams client that allowed an account to be taken over by a GIF image. It was sufficient for the attacker to send a GIF file to a victim. This gave him control over his account. This vulnerability had the potential to take over all Microsoft Team accounts of an organization. Omer Tsarfati disclosed the whole thing in this blog post on April 27, 2020.
The fortune cookie thing
Omer Tsarfati writes that the safety researchers noticed something very interesting when examining the software. It's about how Microsoft teams pass the authentication access token to image resources. Each time a user opens teams, the client creates a new temporary token or access token. This access token is a JSON Web Token (JWT) and is issued by Microsoft's authentication server "login.microsoftonline.com".
In addition to the token for initial access, there are other tokens that are created for teams. Some are used to access various services such as SharePoint, Outlook and many others. One of these tokens (the so-called Skype token) is used by the teams client to show a user images that are shared by him and a group. Since these images are stored on Microsoft's servers, this provides permission control.
CyberArk researchers found that they were able to obtain an authtoken cookie that gives access to a resource server (api.spaces.skype.com). This allowed them to create a Skype token, giving security researchers full permissions to send and read messages, create groups, add or remove users from groups, and change permissions in groups using the Team API.
Because the authtoken cookie is set to be sent to teams.microsoft.team or one of its subdomains, the researchers discovered two subdomains (aadsync–test.teams.microsoft.com and data-dev.teams.microsoft.com) that were vulnerable to takeover attacks.
"If an attacker can lure a user to the taken over subdomains, the victim's browser sends this cookie to the attacker's server. The attacker can (after receiving the auto-token) create a Skype token," write the security researchers. "Once connected, the attacker can steal the account details of the victim's team".
Once the attacker gained control of the compromised subdomains, he could have easily sent a malicious link, such as a GIF, to an unsuspecting victim or to all members of a group chat. When the recipients open the message, the browser sends the authtoken cookies to the compromised subdomain to display the image.
The attacker can then use the authtoken cookie to create a Skype token and thus access all the victim's data. The attack can also be carried out by outsiders, for example by linking to a telephone conference and thus gaining access to the chat. "The victim does not know that he or she has been attacked, which makes it dangerous to exploit this vulnerability," the researchers say. The attack works both via the web variant and via the desktop app of the team client.
The video above shows the takeover. Microsoft has taken action against this threat after being informed of the vulnerability. For example, the incorrectly configured DNS entries that allowed the takeover of the two sub-domains were deleted. And other measures were taken to prevent similar bugs in the future. Summary articles can be found at The Hacker News and Bleeping Computer.
Does Windows 10 VPN Bug-Fix Update cause Teams issues?
Temporary restrictions for MS Teams, OneNote, Office365
Microsoft Teams down due to certificate failure (Feb. 3, 2020)
Microsoft Teams and it's security
Security concerns: Zoom banned in some US schools
Zoom cuts data transfer to Facebook in iOS app
Cookies helps to fund this blog: Cookie settings