Microsoft fixes a bug that could let a GIF hack your organisation’s Teams account
This vulnerability not only affects Microsoft Teams on desktop but on the web as well.
Video conferencing apps have gained popularity at a time when a lockdown has been enforced in various countries across the globe in light of the Covid-19 outbreak. Hackers are using this opportunity to attack users in order to gain access to their account credentials and financial information. Now, a report highlights a new hack that malicious actors are using to target large organisations.
According to a report by CyberArk (via ZDNet), hackers are using a subdomain takeover vulnerability in combination with an infected GIF file for scraping a user's data and subsequently taking over the entire Microsoft Teams account of an organisation.
As per their research, Teams creates a temporary access token, which is authenticated via login.microsoftonline.com, every time a user opens the app. The app also uses "authtoken" and "skypetoken_asm" cookies to restrict content access permissions. Of these, Skype token is sent to teams.microsoft.com and its subdomains, two of which the researchers found to be vulnerable to the vulnerability.
"If an attacker can somehow force a user to visit the subdomains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a Skype token," the report says adding, "After doing all of this, the attacker can steal the victim's Teams account data."
The attacker then uses a GIF file or a malicious link to generate a token not only authenticates the attacker but also compromises the victim's Teams account. This then gives the attacker the ability to hack into the Teams account of the victim's organisation.
What's more, this vulnerability not only affects Microsoft Teams on desktop but on the web as well.
Now some good news, Microsoft has fixed the bug and all Teams accounts are safe. "We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe," the company said in a statement to the publication.