![]() Rest API is today’s common approach to exposing a set of operations and commands for applications, especially web applications like Teams. This token, called “skype token,” can also be seen as a cookie named “skypetoken_asm.” While this token has more usages more than just giving access to images, that’s what we’ll focus on here. The Teams client uses one of these created tokens to allow a user to see images shared with them or by them, as those images are stored on Microsoft’s servers, which applies authorization control. This access token, in the form of JWT, is created by Microsoft’s authorization and the authentication server – “ .“īesides the initial access token, there are many others created for Teams, some of which are used to access different services like SharePoint, Outlook and many more. Without getting into too many technical details, every time you open Teams, your client creates a new temporary token or access token. Given the prevalence of Teams in organizations of all sizes and the rise of its use (and that of other communications platforms like it), we wanted to dig in a bit deeper.ĭuring the research, we noticed something very interesting in the way Teams passes the authentication access token to image resources. One of the main benefits of Teams is that it provides first-party integration with a company’s Office 365 subscription and also features extensions that can integrate with non-Microsoft products. This vulnerability worked just that way and had the potential to take over an organization’s entire roster of Microsoft Teams accounts.įor those of you who are unfamiliar with Microsoft Teams, it’s a leading communication and collaboration platform combining persistent workplace chat, video meetings, file storage, collaboration on files and integration with applications. An attacker sends a GIF or an image to a victim and gets control over their account. The amount of data that goes into these applications is enormous and often includes confidential information from user names and passwords to top-secret business information – making them prime targets for attackers. Now, more than ever, these platforms are our “go-to” for almost everything from a simple chat with a team member to a company-wide all-hands meeting. These days everything is being done remotely – from job interviews to business meetings and even social gatherings. Teams, Slack or maybe Zoom? Which applications do you use? All are extremely popular with business users normally, but have been nothing short of essential during this “new norm” where businesses are working hard to stay connected to employees, customers and partners. CyberArk worked with Microsoft Security Research Center under Coordinated Vulnerability Disclosure after finding the account takeover vulnerability and a fix was quickly issued.This vulnerability would have affected every user who uses the Teams desktop or web browser version.Since users wouldn’t have to share the GIF – just see it – to be impacted, vulnerabilities like this have the ability to spread automatically.We found that by leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.As more and more business is conducted from remote locations, attackers are focusing their efforts on exploiting the key technologies – like Zoom and Microsoft Teams – that companies and their employees depend on to stay connected. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |