After that, the victim’s browser will send the cookie authtoken to the criminals’ remote server.
Obtaining this point, a criminal can force a user to access the subdomains that have been taken over. In order to perform a well-succeeded attack, two subdomains were identified as vulnerable to takeover attacks: Next step: The takeover attackĪfter getting this privileged token, it can be abused to interact with other internal systems of the Microsoft ecosystem. This token allows a user to view images shared by the individual or others in a conversation/meeting.īecause of this, a cookie called “authtoken” that grants access to a resource server “” can be abused to create the “skype token”, giving access to send messages, create groups, add new users or remove users from groups, change permissions in groups via the Teams API and so on.įigure 3: JWT token exfiltrated by using this vulnerability. In detail, when the application is opened (both mobile and desktop), a JSON Web Token (JWT) - the access token - is created during that process. Below, the initial payload is presented.įigure 2: GIF image sent to the first victim. Criminals can use the exfiltrated tokens to access the victim’s information, contacts, messages and so on.Īs described above, the vulnerability resides on a simple GIF image and in the way how Teams handles authentication to image resources.The victims’ Teams tokens are sent to the criminal’s side.The message is disseminated and other victims are affected.At this point, the criminal impersonates the victim and spreads the GIF image with the payload in the organization’s Teams accounts like a worm, infecting a large group of employees. The victim opens and sees the message with the GIF image embedded.A malicious GIF image is prepared and created by criminals and sent to a first victim during a videoconference via chat.
In detail, the attack can be exploited following the next steps: Figure 1 below demonstrates how this attack can be executed against a large company.įigure 1: Microsoft Teams attack workflow The disclosed flaw is a worm-like vulnerability that allows criminals to take over an organization’s entire roster of Teams accounts just by sending victims a malicious link to an innocent-looking GIF image.Įven if a criminal doesn’t have sensitive information from a Team’s account, the flaw can be used to perform a spread attack over the organization’s accounts just like a worm, getting the account’s tokens and then accessing all the chat sessions of the target users.
0 kommentar(er)
