Microsoft Teams become a popular and useful source for organizations working remotely, especially at the time of the coronavirus outbreak. It gives a list of features to convince professionals on options like Slack and Google Hangouts Meet. Some of the security researchers found a susceptibility in Microsoft Teams that can make attackers deal with professional accounts by using specially crafted links or some witty GIFs. The Redmond company has confirmed the defect and fixed its existence to avoid any widespread outrage.
As said by the researchers at the information security firm CyberArk, the susceptibility existed in the system by which Microsoft Teams pass the authentication access token to the image resources. An attacker can misuse the loophole to develop a link, or GIF file that was once treated by Microsoft Teams sends an authentication token to a third-party server.
When the user clicks on the malicious link, the token delivers to the server, which is under control of the attacker. In the case of a GIF file, it can be sent from the Teams account by viewing the specially crafted GIF image.
After getting the authentication token, the researchers said that the attacker could take advantage and get the victim’s account by using the Teams API interfaces. The defect can also give access to let the attacker read the messages received by the affected user or send messages from their side. The researchers said that the susceptibility could be spread from one account to all the connected accounts of a company using by Microsoft Teams.
The researchers said in a blog post that the GIF could send to groups (Teams), which makes it easier for an attacker to get control over the users faster and with few steps.
A proof-of-concept (PoC) is also developed by the researchers to show the scope of the defect.
The access token can only allow the attackers to get an account once it is sent to a particular subdomain of the teams.microsoft.com directory. It means that the attacker has to compromise the subdomain to get the backdoor access of the victim’s account.
Microsoft speaks about the flaw
At the time of the testing, the researchers at CyberArk find only two subdomains that were allowed to take over by using the access token. It is not clear that the flaw can be exploited by using other subdomains or not. Cyber-security focussed site SecurityWeek reports that Microsoft has assured that the subdomains identified by the researchers can not be used for exploitation. A statement is also released by the company that confirms the fix of the susceptibility.
A Microsoft spokesperson said as quoted by SecurityWeek that they discussed the issue which is in this blog and worked with the researcher in the Coordinated Vulnerability Disclosure. They didn’t saw any use of these techniques in the wild; they took steps to keep their customers safe.
Coronavirus helped Teams to reach new users
Microsoft Teams was a strong competitor against the professional communication platform Slack after its launch for Office 365 customers in March 2017. It got popularity in the coronavirus outbreak as many people are working from home to stop the pandemic spread. The app adds more than 1.2 crores, daily users, in one week last month, which makes it to 37.5% jump. It has more than 4.4 crore users worldwide, and more than 2.4 crore users added after November.
The outbreak helped Microsoft Teams and also apps like Zoom that was not so much popular earlier.