Microsoft Teams, just like other video conferencing apps, has seen a growth in users owing to the coronavirus pandemic. Now, a new vulnerability surfaced that could have allowed hackers to take over an entire Teams roster.<\/b>
\nMicrosoft Teams is among the popular video conferencing services and has seen a rise in users owing to the coronavirus pandemic. But, with the increase in user base, comes an increased security risk. A new analysis of Microsoft Teams by information security company CyberArk found that user accounts were vulnerable to takeovers just by sharing a malicious GIF. This vulnerability is associated to the temporary access token created by Microsoft Teams at various points and can affect both the Teams desktop or web browser versions. However, Microsoft said it has addressed the issue and taken steps to keep its customers safe.
The vulnerability was spotted by CyberArk when it analysed how Microsoft Teams works. During the research, it was found that every time Teams is opened, the client creates a new temporary token or access token. Just like the initial access token, there are other tokens that are created as well for say for SharePoint, Outlook and other services. These tokens are then used to allow a user to see images or GIFs shared with them or by them. As these images are stored on Microsoft’s servers, a token called \u201cskype token\u201d is created and can also be seen as a cookie called \u201cskypetoken_asm.\u201d
The researchers noted that Teams makes sure that users will be able to see the content by establishing two cookies called \u201cauthtoken\u201d and \u201cskypetoken_asm.\u201d Thus, if someone gets access to the authtoken, they can create a skype token. Stating that two of the sub-domains under Microsoft Teams namely, \u2018aadsync-test.teams.microsoft.com’ and \u2018data-dev.teams.microsoft.com’, were vulnerable to a subdomain takeover, CyberArk said that if an attacker can \u201cforce a user to visit the sub-domains\u201d, the victim’s browser will send a cookie to the attacker’s server, which will allow the attacker to create a skype token. This will then give the attacker access to the victim’s Teams account data.
By leveraging this vulnerability in Microsoft Teams, CyberArk stated that attackers could have used a malicious GIF to \u201cscrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.\u201d It was noted that vulnerabilities like this have the ability to spread automatically and would affect every user who uses the Teams desktop or web browser version.
The analysis also pointed out that after working with Microsoft Security Research Center, the issue was fixed. According to ZDNet, Microsoft said, \u201cWe addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe.»<\/p>\n