Microsoft fixed a worm vulnerability in its video chat and workplace collaboration platform(Microsoft teams), which could allow attackers to maintain an entire list of organization team accounts by simply sending an evil link to an innocent-looking image.
A flaw affecting both the desktop and web versions of the application was discovered by cybersecurity researchers at CyberArk. After responsible disclosure of the results on March 23, Microsoft fixed the vulnerability in an update released on April 20.
“Even if an attacker does not collect a lot of information from a team account, he can still use this account to view the entire organization (for example, a worm),” said Omer Tsarfati from CyberArk.
“Ultimately, an attacker can gain access to all the data in the team accounts of your organization – by collecting confidential information, meeting and calendar information, competitive data, secrets, passwords, personal information, business plans, etc.”
Evolution occurs when video conferencing software such as Zoom and Microsoft Teams experience unprecedented growth in demand as businesses, students, and even government officials around the world are forced to work and communicate at home with the coronavirus pandemic.
Subdomain Capture Vulnerability
The disadvantage is that Microsoft Teams manages image resource authentication. Each time the application opens, an access token, a JSON web token (JWT), is created during the process, allowing the user to view images exchanged between people or other persons in a conversation.
CyberArk researchers found that they were able to get a cookie (called “authtoken”) that provides access to the resource server (api.spaces.skype.com), and used it. create the aforementioned “Skype token”, thus providing unhindered permissions to send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups through the command API, but that’s not all.
Since the cookie of the authorized file is configured to be sent to teams.microsoft.team or to one of its subdomains, the researchers found two subdomains (aadsync-test.teams.microsoft.com and data-dev). .teams.microsoft.com) that were vulnerable to takeovers.
“If an attacker can force a user to visit subdomains that were captured, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving an authorized token) can create a Skype token,” the researchers said. “After that, the attacker can steal account information to the victim’s teams. ”
Now armed with compromised subdomains, an attacker could exploit the vulnerability by simply sending a malicious link, such as a GIF, to an unsuspecting victim or all participants in a group conversation. Therefore, when the recipients open the message, the browser tries to download the image, but not before sending authorized cookies to the compromised subdomain.
The bad actor can then use this authorization file to create a Skype token and, therefore, gain access to all the victim’s data. Worse, an attack can be launched by any stranger if the interaction includes a chat interface, such as a conference call invitation for a potential interview.
“The victim will never know that he was attacked, which makes the use of this vulnerability secretive and dangerous,” the researchers said.
Videoconferencing attacks on the rise
The transition to remote work in the context of the ongoing COVID-19 pandemic and the increased demand for video conferencing services has become a profitable tactic for attackers to steal credentials and spread malware.
Recent studies by Proofpoint and Abnormal Security have identified social engineering campaigns asking users to join a Zoom meeting or fix a Cisco WebEx security vulnerability by clicking on malicious links designed to steal login information.
In the face of these emerging threats, users are advised to beware of phishing attacks and keep video conferencing software up to date.