[ad_1]
Microsoft Teams contained a vulnerability that could have allowed the theft of customer data before it was … [+]
Tech giants are struggling to become de facto Videoconferencing tool for remote workers in the COVID-19 era. Zoom quickly rose to the top, but thanks to various security and privacy issues, competitors linked it. But rivals also have their shortcomings, as evidenced by a weakness uncovered in Microsoft’s collaboration and video conferencing tool teams, such as revealed on Monday.
For at least three weeks from late February to mid-March, a malicious GIF could have stolen data from users of Microsoft Teams accounts, possibly across an entire company, and taken control of “an entire list of Teams accounts from one organization “, cybersecurity Investigators have warned.
The relevant vulnerability was patched on April 20, meaning users are now safe from this specific attack. But it shows that not only Zoom is vulnerable to potentially catastrophic vulnerabilities. Other video conferencing tools that have become enormously popular with populations in the COVID-19 blockade can and will also be targeted.
What is this evil GIF?
The vulnerability affected all versions of Microsoft Teams for desktop and web browser. The problem lay in the way that Microsoft handled authentication tokens to view images in Teams. Think of those tokens as files that prove that a legitimate user is accessing the Teams account. Microsoft manages those tokens on its server located at teams.microsoft.com or in any subdomain under that address. CyberArk discovered that it was possible to hijack two of those subdomains: aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com, as part of an attack.
They discovered that if a hacker could force a target to visit the hijacked subdomains, the authentication tokens could be passed to the attacker’s server. They could then create another token, the “skype” token, which gave them access to steal the account details from the victim’s computers.
The obvious way to convince a user to visit compromised subdomains would be through a classic phishing attack, where the hacker would send a link to a target and try to click on it. But CyberArk investigators deemed it too obvious, so they created a “wicked” Donald Duck GIF that, upon viewing it, would force the victim’s computers account to give up its authentication token, and thus to your data. This is because the GIF source was a compromised subdomain and teams will automatically contact them to view the image.
CyberArk used a Donald Duck GIF for his hacking, which could have been problematic for Teams users if … [+]
CyberArk said hackers could have abused the weakness to create a worm, where the attack spreads from one user to another to hit large numbers of people in no time. “The fact that the victim only needs to see the elaborated message to be affected is a nightmare from a security perspective. Each account that could have been affected by this vulnerability could also have been a point of spread for all other company accounts, “the researchers wrote in a report delivered to Forbes before publication.
What is the impact?
The impact could have been severe, although there is no indication that a malicious hacker has exploited the vulnerability.
“Eventually, the attacker would be able to access all the data in the accounts of the computers in his organization, collecting confidential information, competitive data, secrets, passwords, private information, business plans,” CyberArk wrote.
“Perhaps even more disturbingly, they could also exploit this vulnerability to send false information to employees, embodying a company’s most trusted leadership, leading to financial damage, confusion, direct data leakage, and more.”
What has Microsoft done?
The vulnerability was patched on April 20, although Microsoft took steps before March 23 to ensure that vulnerable subdomains could not be hijacked. That was the same day CyberArk informed the tech giant about what it found.
Omer Tsarfati, researcher at CyberArk Labs, said Forbes it was unclear how long the error had been on Microsoft computers. He said the vulnerable subdomains had been susceptible to acquisition since February 27 of this year, meaning the weaknesses were at least three weeks old.
But he praised Microsoft for reacting “very quickly,” noting that users didn’t have to do anything, since the flaw was fixed for them.
As with Zoom, Microsoft has been acting quickly to fix problems affecting the growing population of remote workers. Although vulnerabilities will always affect such tools
Full coverage and live updates on Coronavirus
