Microsoft Teams contained a vulnerability that could've allowed customer data theft before it was ... [+]
Tech giants are fighting to become the de facto videoconferencing tool for remote workers in the time of COVID-19. Zoom rose to the top fast, but thanks to various security and privacy issues, was pegged back by competitors. But rivals have their flaws too, as evidenced by a weakness discovered in Microsoft’s collaboration and videoconferencing tool Teams, as revealed on Monday.
For at least three weeks from the end of February till mid-March, a malicious GIF could’ve stolen user data from Microsoft Teams accounts, possibly across an entire company, and taken control of “an organization’s entire roster of Teams accounts,” cybersecurity researchers have warned.
The relevant vulnerability was patched on April 20th, meaning users are now safe from this specific attack. But it goes to show that it isn’t just Zoom that’s vulnerable to potentially cataclysmic vulnerabilities. Other videoconferencing tools that have become hugely popular amongst populations in COVID-19 lockdown can and will be targeted too.
What’s this Evil GIF?
The vulnerability affected every Microsoft Teams version for desktop and web browser. The problem lay in the way Microsoft was handling authentication tokens for viewing images in Teams. Think of those tokens as files that prove a legitimate user is accessing the Teams account. Those tokens are handled by Microsoft at its server located at teams.microsoft.com or any subdomain under that address. CyberArk found that it was possible to hijack two of those subdomains - aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com - as part of an attack.
They discovered that if a hacker could force a target to visit the hijacked subdomains, the authentication tokens could be passed to the attacker’s server. They could then create another token - the “skype” token - that granted them access to steal the victim’s Teams account data.
The obvious way to convince a user to visit the compromised subdomains would be via a classic phishing attack, where the hacker would send a target a link and try to have them click on it. But CyberArk’s researchers deemed that too obvious, so created an “evil” Donald Duck GIF that, on simply viewing it, would force the victim’s Teams account to give up its authentication token and therefore their data. That’s because the GIF’s source was a compromised subdomain and Teams will automatically contact them to view the image.
CyberArk used a Donald Duck GIF for its hack, which could've proven problematic for Teams users if ... [+]
CyberArk said hackers could’ve abused the weakness to create a worm, where the attack spreads from one user to the next to hit a large number of people in a short time. “The fact that the victim needs only to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts,” the researchers wrote in a report handed to Forbes ahead of publication.
What’s the impact?
The impact could’ve been severe, though there’s no indication any malicious hacker leveraged the vulnerability.
“Eventually, the attacker could access all the data from your organization Teams accounts, gathering confidential information, competitive data, secrets, passwords, private information, business plans,” wrote CyberArk.
“Maybe even more disturbing, they could also exploit this vulnerability to send false information to employees – impersonating a company’s most trusted leadership – leading to financial damage, confusion, direct data leakage, and more.”
What’s Microsoft done?
The vulnerability was patched on April 20, though Microsoft took action earlier on 23 March to ensure the vulnerable subdomains couldn’t be hijacked. That was the same day CyberArk informed the tech giant about what it found.
Omer Tsarfati, a researcher at CyberArk Labs, told Forbes it was unclear just how long the bug had been sitting in Microsoft Teams. He said that the vulnerable subdomains had been susceptible to takeover since February 27 this year, meaning the weaknesses were at least three weeks old.
But he praised Microsoft for reacting “very fast,” noting that users didn’t have to do anything, as the flaw was patched for them.
As with Zoom, Microsoft has been acting fast to fix issues affecting the increasingly large remote worker population. Though vulnerabilities will always affect such tools
