Microsoft recently fixed a “Subdomain Takeover” vulnerability in its office communications platform Teams that could have allowed hackers to take control of the organization’s entire list of Teams accounts simply by sending a malicious image or GIF. The vulnerability, that affected both desktop and web versions of the Teams app, was discovered and disclosed by security researchers at CyberArk on March 23, 2020.
The researchers stated that hackers could access all the information from the organization’s Teams accounts, including, competitive data, secrets, passwords, private information, meetings and calendar information, business plans, and other confidential information.
Subdomain Takeover Vulnerability
According to CyberArk, the vulnerability stems from the way Microsoft Teams handles authentication to image and GIF resources. The researchers found that they were able to obtain a cookie (called “authtoken”) that grants access to a resource server, which gives them permissions to send messages, read messages, create groups, add new users or remove users from groups, and change permissions in groups via the Teams API.
The researchers also found two subdomains (aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com) that were vulnerable to attacks. “If an attacker can somehow force a user to visit the subdomains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim’s Team’s account data,” the researchers said.
How the Attack Works?
The attack involves tricking the targeted Teams user into viewing a malicious GIF image. Using the compromised subdomains, attackers exploit the flaw by just sending a malicious image or a GIF to the targeted member or a group. When the recipient opens the message, the browser tries to load the image, but not before sending the authtoken cookies to the compromised sub-domain.
In a proof-of-concept (PoC) video, CyberArk described how an attacker can use this authtoken cookie to create a skype token and access all the victim’s data.
“Even if an attacker does not gather much information from a Teams’ account, they could still use the account to traverse throughout an organization (just like a worm). They could also exploit this vulnerability to send false information to employees – impersonating a company’s most trusted leadership – leading to financial damage, confusion, direct data leakage, and more,” CyberArk concluded.