On Monday, security researchers from CyberArk stated that one “Subdomain takeover vulnerability”, combined with a malicious .GIF file, could be used for “the withdrawal data of a user and eventually taking control of all Microsoft Teams of an organization's accounts".
The researchers said that security issues affected Microsoft Teams so much desktop as in web browser version.
Microsoft's communications platform is used by many people, especially at this time COVID-19. Microsoft Teams is also used by many businesses, allowing corporate sharing data and, therefore, is an attractive target for them hackers.
CyberArk researchers studied the platform and found that every time the app opens, the Teams client creates a new temporary access token. The problem was with the way Microsoft handled these tokens, which essentially prove that a legitimate user has access to the Teams account.
Microsoft manages these tokens on its server, in the address bar teams.microsoft.com or in any subdomain under that address. CyberArk found that two of these subdomains, aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com, were vulnerable to a takeover subdomain vulnerability.
"If an intruder can somehow force one user to visit the violated subdomains, the victim's browser will send the tokens to the attacker's server and he will then be able to create another token, Skype token", Said the researchers. "After all this, the intruder can steal the victim's Microsoft Teams account data ”.
However, the attack is complicated, as the intruder must issue a certificate for the violated subdomains.
As subdomains were already vulnerable, this challenge was overcome, and with the sending of either malicious link in the subdomain or one .GIF file in teams, the required token could be created for the intruder to gain access. Simple GIF viewing is enough, so more Microsoft Teams users can be affected in a single attack.
CyberArk has released proof-of-concept (PoC) code that shows how the attacks, along with a script that could be used to steal Teams' conversations.
"COVID-19 has forced many companies to switch to remote work, leading to a significant increase in the number of users that use Teams or other platforms like it, ”says CyberArk. "Even if an attacker does not gather a lot of information from a Teams account, he could use the account to 'cross' the whole organization."
The researchers collaborated with Microsoft Security Response Center (MSRC) under the program Coordinated Vulnerability Disclosure (CVD) to report their findings.
CyberArk reported vulnerability on March 23. On the same day, the Microsoft corrected the incorrect DNS settings of the two subdomains that allowed attackers to take control of Teams accounts. On April 20, the company also released one patch to mitigate the risk of such errors.
A Microsoft spokesman said: “We addressed the issue discussed on this blog and worked with researchers on the Coordinated Vulnerability Disclosure. "While we have not seen any exploitation of this technique, we have taken steps to keep our customers safe."