Microsoft has fixed a bug in its widely-used Teams unified communications and collaboration (UCC) product that could have allowed hackers to take over a victim’s roster of Teams accounts by sending a malicious .gif image file to a target user.
The bug, which was unearthed by CyberArk, is a two-fold attack that hinges on the successful takeover of a vulnerable subdomain, coupled with an exploitation of specific behaviours in the Microsoft Teams authentication system, pertaining to how authentication tokens for images within Teams are created.
By sending the target user a malicious .gif file, CyberArk found that attackers could get hold of this authentication token and take over the victim’s account by sending the token to the compromised subdomain. CyberArk found two of these at Microsoft, both of them now locked down. The .gif would not have had to be shared, merely seen, making the exploit particularly dangerous.
If successfully exploited, the vulnerability could easily have spread across corporate networks to affect every user of the target’s Teams desktop or browser application, stealing sensitive business data and harvesting user accounts, according to CyberArk researcher Omer Tsarfati.
“The fact that the victim needs only to see the crafted message to be impacted is a nightmare from a security perspective,” he said in a disclosure blog.
“Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts. The vulnerability can also be sent to groups (Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps.
“Even if an attacker doesn’t gather much information from a Teams account, they could use the account to traverse throughout an organisation. Eventually, the attacker could access all the data from your organisation Teams accounts – gathering confidential information, competitive data, secrets, passwords, private information, business plans.”
The vulnerability could also be used to send false information to employees by impersonating trusted leadership, leading to more severe consequences.
Tsarfati said that although one possible solution was to limit use of Microsoft Teams only to internal communications, this would not necessarily be enough to protect users, because any interaction that includes a chat interface with someone external to the organisation is enough to be affected – for example, through an invitation to a conference call with an outsider for a job interview.
CyberArk’s research team worked with Microsoft’s Security Response Center after finding the vulnerabilities in March 2020, and a patch was made available on 20 April.
Geraint Williams, CISO at GRCI, a provider of risk management and compliance services, said the vulnerability was especially concerning given that so many organisations have rolled out videoconferencing services such as Teams at speed during the Covid-19 coronavirus pandemic. Many of them, he said, would not have had time to consider hardening or pen testing their defences.
“With tools like Teams, it is so important to ensure that only approved and regulated users can access the platform and post in collaboration activities – it all boils down to having robust user access controls and strong authentication processes in place,” Williams told Computer Weekly in emailed comments.
“This extends to any other individuals you are collaborating with on Teams who are from outside of your organisation. Even if you have a trusted relationship with that individual, you need to be as confident in their security controls as you are in your own – otherwise, this kind of attack could be leveraged through a subdomain of a trusted partner.
“Ensuring that you keep libraries up to date, patch software regularly, have strong authentication processes for all users and maintain secure domains are good starting points in your organisation’s cyber defence. However, it is also crucial that you regularly attack these defences yourself, so you can assess them for weak points.”
Tim Mackey, principal security strategist at Synposys’ Cybersecurity Research Center (CyRC), said: “For the general public, this specific vulnerability has been mitigated by Microsoft, but the research shows just how careful we need to be when working with any content. In this case, had no patch been applied, simply viewing a malicious image would be the culprit. This then becomes another example where opening unexpected content could have serious repercussions and why, in this time of remote work, everyone should review their IT security training.
“For developers, this vulnerability disclosure is far more interesting. It highlights the reality that there never is a single weakness behind any attack and that complex systems can provide opportunities for attack.”
Mackey added: “Protecting against this type of attack requires API developers to think like attackers and ensure they fully understand the scope of any access their API tokens provide while also building a comprehensive treat model covering misuse of their APIs.”
Tsarfati’s full disclosure blog, including extensive technical information and proofs of concept, can be read at CyberArk’s website.