CyberArk researchers announced today the vulnerability of a subdomain, combined with a malicious file.GIF, could be used to "collect a user's data and eventually obtain all of an organization's Teams accounts".
The team said security issues were affecting Microsoft Teams both on the desktops and in the web version of the program.
The Microsoft communications platform seems to have gained an expanded customer base like other competing services (Zoom, GoToMeeting, etc.) due to the advent of COVID-19. The application Microsoft Teams is used to maintain the operation of businesses, and among other things offers corporate data sharing. This makes the application a very tempting target for hackers.
During the review of the platform by CyberArk, the team found that each time the application is opened, the Teams client creates a new temporary access badge, which is authenticated through the subdomain login.microsoftonline.com. Other tokens are created to access other supported services such as SharePoint and Outlook.
They noticed that two cookies were used to restrict access to the content, "authtoken" and "skypetoken_asm." So they used these files to get a Sskype badge, sending it to teams.microsoft.com and the subdomains it uses. In two of them they were able to perform a subdomain takeover.
"If an attacker can somehow force a user to visit subdomains occupied (by hackers), the victim's browser will send a cookie to the attacker's server. "The attacker (after obtaining the authtoken) can create a distinctive Skype", the team states. "After all this, the attacker can steal the data of the victim's accounts."
However, the chain of attack is complicated, as it was necessary for the attacker to issue a certificate for all the violated subdomains subdomains.
But as subdomains were vulnerable, this challenge was overcome by either sending a malicious link to the subdomain or sending a file.GIF in a group. This could lead to the creation of the required badge needed to violate a session of the Microsoft Teams of one victim, as the image only to be projected could affect more than one person at a time.
CyberArk has released a PoC showing how attacks could have taken place, along with a script that could be used to stop Teams conversations.
The researchers partnered with the Microsoft Security Response Center (MSRC) as part of the Coordinated Vulnerability Disclosure (CVD) program to report their findings.
CyberArk reported the defect on March 23. On the same day, the company from Redmond corrected the DNS settings of the two subdomains, and on April 20, an update was released that completely fixes the problem.