Published on April 27th, 2020 📆 | 2637 Views ⚑0
Microsoft Teams patched against image-based account takeover
After looking at how Microsoft Teams handles image resources, security researchers found a way to take over accounts by sending recipients a regular GIF.
The method could have been used for the desktop and web versions of Teams to get access to multiple accounts at once and steal conversations and threads.
Controlling a subdomain under teams.microsoft.com was the main condition for the attack, and the researchers had two to choose from. Microsoft received a report about the vulnerability and pushed mitigations to prevent the attack.
In a blog post today, researchers at cybersecurity company CyberArk published details on how Microsoft Teams loads images and how the authentication works to deliver this type of message.
To make sure that a recipient gets the image intended for them, authentication completes via two tokens: “authtoken” and “skypetoken.”
The former authenticates users to load images in domains across Teams and Skype and is used to generate the latter, which is used to authenticate to a server that handles action requests from the client, like reading or sending messages.
An attacker with both these cookies could make calls through the Teams APIs and have complete control of an account: read/send messages, create groups, add or remove users, change permissions.
One hurdle here is that “authtoken” can be used only with a subdomain under “teams.microsoft.com.” Delving deeper into this, CyberArk researchers found they could run a subdomain takeover attack on the following:
To pull this off, the attacker needs to get a digital certificate for the compromised subdomain, since the “authtoken” cookie comes with a secure flag. However, this problem is not difficult to overcome.
With this set up, all that remains is to send a lure to the victim in order to get “authtoken.” Sending them an image message causes their web browser to try to load the resource and deliver the cookie to the compromised subdomain and thus enable the attacker to create the skype token that provides full access to the account.
Everything happens behind the scene, so the victim remains completely clueless about the threat actor taking control of their Microsoft Teams account.
CyberArk researchers say that this attack could spread automatically in a worm-like fashion from one compromised account to others in the same organization.
Getting a victim’s conversation would not be difficult for the attacker. A script that scrapes the conversations and threads could take care of that. For demo purposes, the researchers created the code that steals the messages.
Microsoft has taken action against this threat after being alerted through its vulnerability disclosure program. One step was to delete the misconfigured DNS records that allowed taking control of the two subdomains. Other measures were imposed and continue to be pushed to avoid similar flaws in the future.
A video from CyberArk shows how an attacker could have leveraged the vulnerability to gain control over Microsoft Teams accounts: