Microsoft Teams is among the popular video conferencing services and has seen a rise in users owing to the coronavirus pandemic. But, with the increase in user base, comes an increased security risk. A new analysis of Microsoft Teams by information security company CyberArk found that user accounts were vulnerable to takeovers just by sharing a malicious GIF. This vulnerability is associated to the temporary access token created by Microsoft Teams at various points and can affect both the Teams desktop or web browser versions. However, Microsoft said it has addressed the issue and taken steps to keep its customers safe.
Background for temporary access tokens
The vulnerability was spotted by CyberArk when it analysed how Microsoft Teams works. During the research, it was found that every time Teams is opened, the client creates a new temporary token or access token. Just like the initial access token, there are other tokens that are created as well for say for SharePoint, Outlook and other services. These tokens are then used to allow a user to see images or GIFs shared with them or by them. As these images are stored on Microsoft’s servers, a token called “skype token” is created and can also be seen as a cookie called “skypetoken_asm.”
The researchers noted that Teams makes sure that users will be able to see the content by establishing two cookies called “authtoken” and “skypetoken_asm.” Thus, if someone gets access to the authtoken, they can create a skype token. Stating that two of the sub-domains under Microsoft Teams namely, ‘aadsync-test.teams.microsoft.com’ and ‘data-dev.teams.microsoft.com’, were vulnerable to a subdomain takeover, CyberArk said that if an attacker can “force a user to visit the sub-domains”, the victim’s browser will send a cookie to the attacker’s server, which will allow the attacker to create a skype token. This will then give the attacker access to the victim’s Teams account data.
By leveraging this vulnerability in Microsoft Teams, CyberArk stated that attackers could have used a malicious GIF to “scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.” It was noted that vulnerabilities like this have the ability to spread automatically and would affect every user who uses the Teams desktop or web browser version.
The analysis also pointed out that after working with Microsoft Security Research Center, the issue was fixed. According to ZDNet, Microsoft said, “We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe.”