Microsoft’s collaboration platform Teams contained a vulnerability that allowed hackers to send out a GIF that only had to been seen, in order for it to send a valuable access token back to a compromised server.
This could then be used to escalate an attack until a hacker was able to “take over an organisation’s entire roster of Teams accounts.”
The bug, disclosed to Microsoft on March 23, was discovered and reported by US-based account security firm CyberArk, and quietly patched by Redmond a month later, on April 20, the security company said today.
It involved grabbing API authorisation tokens then leveraging a subdomain takeover vulnerability in Microsoft Teams, in a somewhat complex but highly effective attack for a dedicated adversary.
Microsoft Teams is a collection of enterprise collaboration tools, comprising Office 365, a SharePoint Online site and a document library to store team files so a compromise of an account could have significant consequences.
Normally if an attacker can get a user to visit a compromised sub-domain then they can get the victim’s browser to send account data or authentication tokens. These can be used to start further security escalations. However, the attack path identified by CyberArk only (after a series of initial token-grabbing moves) requires that a user views a malicious GIF.
CyberArk note in its report that: “The fact that the victim only needs to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also be a spreading point to all other company accounts. The GIF could also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps.”
The attack involved abusing how Teams authenticates the right of users to view images, using two cookies called “authtoken” and “skypetoken_asm.” An attacker can then take over two unsecured sub-domains within the Teams platform and using these to obtain the authentication tokens belonging to user accounts, which can be used to gain access and scrape data.
A Microsoft spokesperson commented by email that: “We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe.”
Microsoft Teams Vulnerability
CyberArk first found two subdomains that – due to misconfigured DNS records – were open to takeover. The sub-domains were aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com.
Every time you log into Teams a number of authentication tokens are created. In order to authenticate images Teams creates two authentication tokens ‘authtoken’ and ‘skypetoken_asm.’
The issue is that the ‘skypetoken’ is responsible for making valuable requests to the Teams server, while the authtoken itself is used to create the ‘skypetoken’.
When a user viewed an image that was send from the compromised sub-domains their account forwards the ‘authtoken’, which inadvertently gives the attacker the ability to create the ‘Skypetoken’.
CyberArk researchers managed to obtain both tokens and with the access token (authtoken) and the skype token was “able to make APIs calls/actions through Teams API interfaces, which lets you send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups, etc.”
Geraint Williams, CISO of IT service management company GRCI told Computer Business Review via email: “With tools like Teams, it is so important to ensure that only approved and regulated users can access the platform and post in collaboration activities – it all boils down to having robust user access controls and strong authentication processes in place.
“This extends to any other individuals you are collaborating with on Teams who are from outside of your organisation.”
He added: “Even if you have a trusted relationship with that individual, you need to be as confident in their security controls as you are your own – otherwise, this kind of attack could be leveraged through a sub-domain of a trusted partner. Ensuring that you keep libraries up to date, patch software regularly, have strong authentication processes for all users and maintain secure domains are good starting points in your organisation’s cyber defence.”
Cyberark’s detail write-up of the exploit is here.