Microsoft Teams that a GIF violates the system

Microsoft seems to have managed to fix some security issues in Microsoft Teams that could be used in chainers to take over user accounts – all with the help of a .GIF file.

CyberArk researchers they announced today the vulnerability of a subdomain, which combined with a malicious .GIF file, could be used to “ of a user's data and eventually acquiring all of an organization's Teams accounts".

The team said security issues affected Microsoft Teams on both desktops and the web version of the program.

The Microsoft communications platform seems to have gained an expanded customer base like other competing services (Zoom, GoToMeeting, etc.) due to the advent of COVID-19. Microsoft Teams is used to keep businesses running, and among other things it offers corporate data sharing. This makes the application a very tempting target for hackers.

During the review of the platform by CyberArk, the team found that each time the application is opened, the Teams client creates a new temporary access badge, which is authenticated through the subdomain login.microsoftonline.com. Other tokens are created to access other supported services such as SharePoint and Outlook.

They noticed that two cookies are used to restrict access rights to , “authtoken” and “skypetoken_asm.” So they used these files to obtain a Skype token by sending it to teams.microsoft.com and the subdomains it uses. In two of them they were able to perform a subdomain takeover.

"If an attacker can somehow force a user to visit subdomains occupied (by hackers), the victim browser will send a cookie to the attacker's server. "The attacker (after acquiring the authtoken) can create a distinctive Skype", the team states. "After all this, the attacker can steal the data of the victim's accounts."

However, the chain of attack is complicated, as it was necessary for the attacker to issue a certificate for all the violated subdomains subdomains.

Microsoft Teams

But as subdomains were vulnerable, this was overcome , by sending either a malicious link to the subdomain or by sending a .GIF file to a group. This could lead to the creation of the required token needed to compromise a victim's Microsoft Teams session, as the image alone could affect more than one person at a time.

CyberArk has released a PoC showing how attacks could have taken place, along with a script that could be used to stop Teams conversations.

The researchers partnered with the Microsoft Security Response Center (MSRC) as part of the Coordinated Vulnerability Disclosure (CVD) program to report their findings.

CyberArk reported the flaw on March 23. On the same day, from Redmond fixed the incorrect DNS settings of the two subdomains, and on April 20th an update was released that fully fixes the problem.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).