During this Coronavirus lockdown period, services like Microsoft Teams, Zoom, GoToMeeting, etc have seen a sudden surge in the number of users. Lots of company uses these services to easily manage Work at Home campaigns.
Microsoft has finally fixed a bug in Microsoft Teams that would have been used by hackers to hijack the account by sending a .GIF file or malicious links.
The issue was first spotted by a cybersecurity research firm, CyberArk. They spotted a subdomain takeover vulnerability combines with a .GIF File bug which could be used to access user’s private data or an organization’s entire Microsoft Teams data.
Upon further investigation, the CyberArk team found that every time a Microsoft Teams’ application was opened, the Teams client creates a temporary access token authenticated via login.microsoft.com. “authtoken” and “skypetoken_asm” are two cookies used to restrict content access permission. Now, the real culprit here is the Skype token sent to teams.microsoft.com and its subdomains. Two such subdomains were found to be vulnerable.
If the attacker managed to make the user visit a subdomain that has been taken over, the user’s browser will send this cookie to the attacker’s server. Upon receiving the cookie, the attacker can then create a Skype token, which could be then used to steal user’s account information.
The required token to compromise the user’s Teams session could be created by sending a malicious link or sending a.GIF file as the subdomain is already taken over.
As big corporate companies send their corporate data over these sort of applications, increased interest of attackers and hackers can be seen here.
CyberArk, the cybersecurity firm, reported the issue to Microsoft on March 23 and the misconfiguration in the DNS records of the two subdomains was fixed by Microsoft on the same day itself.