That is how watching a GIF in Microsoft teams triggered an account hijacking bug to see an animation was appropriate to be affected, say the researchers.
Microsoft has addressed Windows security problems that may have been used for user accounts in the attack chain – all with the help of a.gif file.
On Monday, cybersecurity researchers at CyberArk confirmed that a takeover vulnerability, paired with a malicious.GIF file, could be used to “scrap user’s data and eventually take over the entire team account roster.” The team claims security issues impact Microsoft teams on the desktop and web browser edition.
The team says Microsoft teams are affected by security problems on the mobile and the web browser edition.
The networking network in Microsoft has increased user base alongside rival services like Zoom and GoToMeeting due to the outbreak of the COVID-19. Microsoft Teams are trying to keep companies running, including corporate data sharing, and thus in the current circumstances could be of renewed interest to cyber attackers.
The team says Microsoft teams are affected by security problems on the mobile and the web browser edition.
The networking network in Microsoft has increased user base alongside rival services like Zoom and GoToMeeting due to the outbreak of the COVID-19. Microsoft Teams are trying to keep companies running, including corporate data sharing, and thus in the current circumstances could be of renewed interest to cyber attackers.
During the CyberArk platform test, the team found that the client generates a new temporary access token, authenticated via login.microsoftonline.com, every time the application is opened. Additional symbols for access to supported services like SharePoint and Outlook are created.
Two cookies, “auth token” and “skypetoken as” are used to limit user access privileges. The token of Skype has been forwarded to teams.microsoft.com and their sub dominations, all of which have been found to be prone to domain acceptance.
“If an attacker can somehow force a user to visit the subdomains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving the authtoken) can create a Skype token,” the team says. “After doing all of this, the attacker can steal the victim’s Teams account data.”
The attack chain is, however, complicated as it was appropriate for an assailant to issue a certificate for the affected subdomains only if checks like uploading a file into a particular route ‘prove’ ownership.
As the sub-domains were already vulnerable, this problem has been solved – and sending either a malicious connection to the subdomain or by sending a.GIF file to a team could lead to a token that would compromise a newly authenticated attacker’s victim team session. Since the picture had to be seen only, it could impact more than one person at a time.
CyberArk published a proof of concept (POC) code showing how attacks could have happened in addition to a script that could scrape communications with teams.
“COVID-19 has forced many companies to move to full-time remote work — leading to a significant uptick in the number of users that use Teams or platforms like it,” CyberArk says. “Even if an attacker doesn’t gather much information from a Teams’ account, they could use the account to traverse throughout an organization.”
Researchers worked under the Organized Vulnerability Disclosure (CVD) program with the Microsoft Security Response Center (MSRC) to report their findings.
On March 23, CyberArk announced a security flaw. On the same day, the Redmond giant rectified the incorrect DNS records for both subdomains needed for account takeover. Microsoft released a patch on April 20 to reduce the possibility of similar vulnerabilities in the future.
Accordingly to ZDNet, a Microsoft spokesperson said.
“We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe.”
