We live in an age where technology is part of our lives and a primary valuable resource for personal and professional work. The use of online video conferencing platforms such as Zoom and Microsoft Teams has become necessary in recent months due to the COVID-19 pandemic.
This article provides a detailed guide on how to hack Microsoft Teams with a simple GIF image.
The vulnerability posted in April to mid-2020 could be exploited by a remote user, and Microsoft immediately fixed the bug a few days after the revelation. However, this scenario should be understood as a real threat facing not only Microsoft Teams but also all applications that maintain the same mode of operation.
Even if a malicious user does not have sensitive information from one's account teamς, το ελάττωμα μπορεί να χρησιμοποιηθεί για να εκτελέσει μια επίθεση στους λογαριασμούς του οργανισμού, όπως ένα worm, για να πάρει τα διακριτικά του λογαριασμού και στη συνέχεια να έχει access in all chat sessions of the target users.
Figure 1 below shows how this attack can be performed on a large company.
Figure 1: Microsoft Teams Attack Workflow
In detail, the attack can be exploited by following these steps:
- A malicious GIF image is prepared and created by hackers and sent to a first victim during a video conference call.
- The victim opens and sees the message with the GIF image embedded. At this point, the hacker impersonates the victim and spreads the GIF image with the payload to the accounts of the organization's teams like a worm, infecting a large group of employees.
- The message spreads and other victims are affected.
- The victim group vouchers are sent to the hacker.
- Hackers can use the data to access information, contacts, messages of the victim and so on.
As described above, the vulnerability is based on a simple GIF image and how groups handle authentication on image resources. Below, the initial payload is presented.
Figure 2: H GIF image sent to the first victim.
In detail, when opening the application (for both mobile devices and desktops), a JSON Web Token (JWT) is created, the access badge, during this process. This badge allows the user to view images shared by the person or others in a chat / conference / teleconference.
Because of this, a cookie called “authtoken” that provides access to a resource server “api.spaces.skype.com” can work as an exploit to create the “Skype token”, giving access to send messages, create groups, accesscase adding new users or removing users from groups, changing permissions on groups via the Teams API, and so on.
Figure 3: The distinctive JWT was filtered using this vulnerability.
Next step: takeover attack
Afterwards λήψη of this privileged token, can be misused to interact with other internal systems in the Microsoft ecosystem. In order to execute a successful attack, two subdomains were identified as vulnerable to takeover attacks:
- aadsync-test.teams.microsoft.com
- data-dev.teams.microsoft.com
By obtaining this information, a hacker can force a user to access the hijacked domains. After that, the program browsing of the victim will automatically send the cookie to the remote server of the fraudsters. Now you can create your Skype token and access all the victim group account data.
Details including confidential information, appointments and calendar information, competing data, secrets, passwords, private information, business strategy, plans and procedures can now be used to execute other types of attackers.